Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 12:07
Behavioral task
behavioral1
Sample
8afc556fe140562dd935372ebef6b31b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8afc556fe140562dd935372ebef6b31b.exe
Resource
win10v2004-20231215-en
General
-
Target
8afc556fe140562dd935372ebef6b31b.exe
-
Size
3.9MB
-
MD5
8afc556fe140562dd935372ebef6b31b
-
SHA1
beea218fe81d1afdeafb3de2bd1b5f4873f73bce
-
SHA256
7a49ee804b6280b6895f21c33b02ed8e01f6296350a67840f591d6a540d37e96
-
SHA512
e11befde24a241e640e8b1276c11990e30cbada013a89cde927667670527e028423b8380e8434d4f5759f285134c6f562c178c2f796c0a4c3c815d7141518fc0
-
SSDEEP
98304:Byow00q/5cakcibiqhMbMgOn7n0bcakcibiqh9zEdfTbl9PRcakcibiqhMbMgOn1:cow0LdlirybMgOnkdlirnzE9TPPRdlix
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5040 8afc556fe140562dd935372ebef6b31b.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 8afc556fe140562dd935372ebef6b31b.exe -
resource yara_rule behavioral2/memory/4148-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/memory/5040-14-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x00070000000231fa-12.dat upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 3 IoCs
pid pid_target Process procid_target 4868 5040 WerFault.exe 84 2364 5040 WerFault.exe 84 4956 5040 WerFault.exe 84 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3720 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 8afc556fe140562dd935372ebef6b31b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 8afc556fe140562dd935372ebef6b31b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 8afc556fe140562dd935372ebef6b31b.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 8afc556fe140562dd935372ebef6b31b.exe Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 8afc556fe140562dd935372ebef6b31b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4148 8afc556fe140562dd935372ebef6b31b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4148 8afc556fe140562dd935372ebef6b31b.exe 5040 8afc556fe140562dd935372ebef6b31b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4148 wrote to memory of 5040 4148 8afc556fe140562dd935372ebef6b31b.exe 84 PID 4148 wrote to memory of 5040 4148 8afc556fe140562dd935372ebef6b31b.exe 84 PID 4148 wrote to memory of 5040 4148 8afc556fe140562dd935372ebef6b31b.exe 84 PID 5040 wrote to memory of 3720 5040 8afc556fe140562dd935372ebef6b31b.exe 93 PID 5040 wrote to memory of 3720 5040 8afc556fe140562dd935372ebef6b31b.exe 93 PID 5040 wrote to memory of 3720 5040 8afc556fe140562dd935372ebef6b31b.exe 93 PID 5040 wrote to memory of 800 5040 8afc556fe140562dd935372ebef6b31b.exe 94 PID 5040 wrote to memory of 800 5040 8afc556fe140562dd935372ebef6b31b.exe 94 PID 5040 wrote to memory of 800 5040 8afc556fe140562dd935372ebef6b31b.exe 94 PID 800 wrote to memory of 3948 800 cmd.exe 96 PID 800 wrote to memory of 3948 800 cmd.exe 96 PID 800 wrote to memory of 3948 800 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe"C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exeC:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe" /TN EftJtVnu5bdb /F3⤵
- Creates scheduled task(s)
PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN EftJtVnu5bdb > C:\Users\Admin\AppData\Local\Temp\9Co0Udj.xml3⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN EftJtVnu5bdb4⤵PID:3948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 6163⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 6043⤵
- Program crash
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 10083⤵
- Program crash
PID:4956
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5040 -ip 50401⤵PID:2856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5040 -ip 50401⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5040 -ip 50401⤵PID:2184
Network
-
Remote address:8.8.8.8:53Request6.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.178.17.96.in-addr.arpaIN PTRResponse194.178.17.96.in-addr.arpaIN PTRa96-17-178-194deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A172.67.34.170pastebin.comIN A104.20.68.143pastebin.comIN A104.20.67.143
-
Remote address:8.8.8.8:53Requestcutit.orgIN AResponsecutit.orgIN A64.91.240.248
-
Remote address:64.91.240.248:443RequestGET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Host: cutit.org
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww1.cutit.org/oxgBR?usid=25&utid=4367020876
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request170.34.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request248.240.91.64.in-addr.arpaIN PTRResponse248.240.91.64.in-addr.arpaIN PTRcrocodile parklogiccom
-
Remote address:8.8.8.8:53Request32.169.19.2.in-addr.arpaIN PTRResponse32.169.19.2.in-addr.arpaIN PTRa2-19-169-32deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestww1.cutit.orgIN AResponseww1.cutit.orgIN CNAMEsedoparking.comsedoparking.comIN A64.190.63.136
-
Remote address:64.190.63.136:80RequestGET /oxgBR?usid=25&utid=4367020876 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Cache-Control: no-cache
Host: ww1.cutit.org
Connection: Keep-Alive
ResponseHTTP/1.1 436
content-length: 0
server: NginX
-
Remote address:8.8.8.8:53Requestq.gsIN AResponseq.gsIN A172.67.193.84q.gsIN A104.21.84.133
-
Remote address:172.67.193.84:80RequestGET /EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: q.gs
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=6t0sk7pjocb1t4j66ijngp5341; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-20GIDC/EVnYC?rndad=1502943035-1703246870
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tbewWV6BOpfDEMdjQeRl8eKNrbSQJZuZMU9dYr4gXsQS7zum7ZQRAnplZyX5PN0TQhCCv%2FZGznB8ZG%2FGCCRD1gtb2PEOvqGZQm83KBSLn%2BhpeFbUm04Q"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 83983f2b68126527-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A104.21.20.204yxeepsek.netIN A172.67.194.101
-
GEThttp://yxeepsek.net/-20GIDC/EVnYC?rndad=1502943035-17032468708afc556fe140562dd935372ebef6b31b.exeRemote address:104.21.20.204:80RequestGET /-20GIDC/EVnYC?rndad=1502943035-1703246870 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: yxeepsek.net
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=gd3e8uvsvuqi6ujg61p0ogg0tn; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H3tnauMogEXVw%2Fb6RMYf8rz1GxNWlCSGU4xTiv5GiAmlHuOqowkbmPEv82yLhGloSyKxhmIbKQ2Nk9tAiW4KEUt0FutisIr2RjLaHoSSf7deLISPI%2Fw8KXHHHOHUEHQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 83983f2d6ac388a9-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.20.204:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: yxeepsek.net
Connection: Keep-Alive
Cookie: FLYSESSID=gd3e8uvsvuqi6ujg61p0ogg0tn
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aoIJwFN9Zyb5iq67LO4zmLgDJTxlM%2BjZiiEMdf9ROInt0Uh56XDLLXQtf1Ke14APsj6kuieV%2B8MPK6m%2FJSG8NV1veHviPXgey%2B1sq0Q5GWvW0oY8xJss4mnjVdWl464%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 83983f2edcb688a9-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request136.63.190.64.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request193.179.17.96.in-addr.arpaIN PTRResponse193.179.17.96.in-addr.arpaIN PTRa96-17-179-193deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request84.193.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request204.20.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.121.231.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request152.141.79.40.in-addr.arpaIN PTRResponse
-
156 B 3
-
190 B 92 B 4 2
-
1.2kB 3.9kB 15 10
HTTP Request
GET https://cutit.org/oxgBRHTTP Response
302 -
64.190.63.136:80http://ww1.cutit.org/oxgBR?usid=25&utid=4367020876http8afc556fe140562dd935372ebef6b31b.exe798 B 216 B 12 3
HTTP Request
GET http://ww1.cutit.org/oxgBR?usid=25&utid=4367020876HTTP Response
436 -
418 B 1.1kB 6 4
HTTP Request
GET http://q.gs/EVnYCHTTP Response
301 -
104.21.20.204:80http://yxeepsek.net/suspended?a=3&u=20186239http8afc556fe140562dd935372ebef6b31b.exe903 B 3.2kB 10 8
HTTP Request
GET http://yxeepsek.net/-20GIDC/EVnYC?rndad=1502943035-1703246870HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
71 B 157 B 1 1
DNS Request
6.181.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
194.178.17.96.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
172.67.34.170104.20.68.143104.20.67.143
-
55 B 71 B 1 1
DNS Request
cutit.org
DNS Response
64.91.240.248
-
72 B 134 B 1 1
DNS Request
170.34.67.172.in-addr.arpa
-
72 B 109 B 1 1
DNS Request
248.240.91.64.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
32.169.19.2.in-addr.arpa
-
59 B 104 B 1 1
DNS Request
ww1.cutit.org
DNS Response
64.190.63.136
-
50 B 82 B 1 1
DNS Request
q.gs
DNS Response
172.67.193.84104.21.84.133
-
58 B 90 B 1 1
DNS Request
yxeepsek.net
DNS Response
104.21.20.204172.67.194.101
-
72 B 156 B 1 1
DNS Request
136.63.190.64.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
193.179.17.96.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
84.193.67.172.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
204.20.21.104.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
79.121.231.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
152.141.79.40.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD56849ad2e88ab1e9fb814600416cd2e0e
SHA18800581c50d6cecaf750423a58c0dba9867845b3
SHA25648f0d46308ad72445aa657d3ad0219d4eefd6bd8af9ed3e8406a48d6054a0024
SHA512d861b049e8c61256b48f56b2d0d8b5299bec41bb7a0c8ae1fc2801de9080433e7c38fa26bb28311fbf0067b011298e5232a8f446f69f5f65d100866e655e2177
-
Filesize
1KB
MD54597c34611d4d40a6eff0a617f0ae21c
SHA1b2db33e8b547aa38bba48907b8adaf97397cf15d
SHA2567227e6595342d7e49386a6ff34a26994421cc31a4475c43d809fdcb0df6275f1
SHA5120340c929306b3ebc246ab3de28a1ce4e92556dd2c379f01838e5e0780d70f62f828f64fb3163e229bb60a5a2771cde0962f6d1faffadf07a80e2e4ae80598cac