Overview

overview

7

Static

static

7

RVVNfAFuoPUg.exe

windows10-2004-x64

7

Resubmissions

20/07/2024, 17:01 UTC

240720-vjk4cswbkp 7

20/07/2024, 16:55 UTC

240720-ve8nvstgkb 7

20/07/2024, 16:53 UTC

240720-vedtgswamn 7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 17:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RVVNfAFuoPUg.exe

  • Size

    20.5MB

  • MD5

    e5bb4ca071b4a7f32467d4260fef5610

  • SHA1

    7e950adae620544f07a3b455546e498a6ac2c4d0

  • SHA256

    f9cb65c4d208ba89805850d0ea1e2d9853236ac21ad1f93a4f263f377ddd614c

  • SHA512

    065cd30ca5bd18bc9d7be0c3700f1f6282b2525f59d741e3a0476d0572b4b0c90f077ecedc0aea4df7eded285948a9ebc54b8192fc2260862b9999c564ab7ca2

  • SSDEEP

    393216:HNZI9KZ5ikvL+rWGtlqSfBI5xX4LH4pYZv7ugs7G2pWCL6o+DhUOvNR:U9KZ4kvqrh/hfBI5xXoH4KZviTGDaOvf

Score
7/10
themida

Malware Config

Signatures

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe
    "C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3652
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4524
    • C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe
      "C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"
      1⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe
      "C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"
      1⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4204

    Network

    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      76.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      76.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 299452
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 12C948A5B7FD445695ECEA1DA43BF8DC Ref B: LON04EDGE1221 Ref C: 2024-07-20T17:03:08Z
      date: Sat, 20 Jul 2024 17:03:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301044_1R6E1MOEVCAUYY73I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301044_1R6E1MOEVCAUYY73I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 577346
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B1C4BD4405BF4A02BE72C7F34B18A377 Ref B: LON04EDGE1221 Ref C: 2024-07-20T17:03:08Z
      date: Sat, 20 Jul 2024 17:03:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 676162
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 49777FC0F29043E5B6EB1E16FDB36FC1 Ref B: LON04EDGE1221 Ref C: 2024-07-20T17:03:08Z
      date: Sat, 20 Jul 2024 17:03:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 581331
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B4698C167A2E4B88AB9B676E4399D360 Ref B: LON04EDGE1221 Ref C: 2024-07-20T17:03:08Z
      date: Sat, 20 Jul 2024 17:03:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 267906
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6BFB268A60C14BAE994D9E32E641448E Ref B: LON04EDGE1221 Ref C: 2024-07-20T17:03:08Z
      date: Sat, 20 Jul 2024 17:03:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 694757
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4BCB11727842453FBCC424121A8FBB41 Ref B: LON04EDGE1221 Ref C: 2024-07-20T17:03:09Z
      date: Sat, 20 Jul 2024 17:03:09 GMT
    • flag-us
      DNS
      10.28.171.150.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.28.171.150.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      panel.fruityskills.com
      RVVNfAFuoPUg.exe
      Remote address:
      8.8.8.8:53
      Request
      panel.fruityskills.com
      IN A
      Response
      panel.fruityskills.com
      IN A
      104.21.82.249
      panel.fruityskills.com
      IN A
      172.67.166.56
    • flag-us
      GET
      https://panel.fruityskills.com/api/login.php?id=5870657274&uuid=Og==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=44304436324735494A46444435444446533248333731444B4143475548374E4A&a=OjG3nP7644gT2EZL&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365
      RVVNfAFuoPUg.exe
      Remote address:
      104.21.82.249:443
      Request
      GET /api/login.php?id=5870657274&uuid=Og==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=44304436324735494A46444435444446533248333731444B4143475548374E4A&a=OjG3nP7644gT2EZL&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365 HTTP/1.1
      Host: panel.fruityskills.com
      Accept: */*
      Response
      HTTP/1.1 200 OK
      Date: Sat, 20 Jul 2024 17:03:22 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding,User-Agent
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KvZMfvOSo7VSocKXHVZuVn6i7PDaOlJnV5uynig5aKMPre%2FpoZl%2FaVNRtSWmqOzS0%2FwFRBiVWbqNDljzPsunBWAbgvhRM9XA7xWSza9%2BSL0a52OnCHVkrAnh8JkqR0dvZ4ELBEgYbkMA"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8a6486309c6f76ed-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://panel.fruityskills.com/api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=
      RVVNfAFuoPUg.exe
      Remote address:
      104.21.82.249:443
      Request
      GET /api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID= HTTP/1.1
      Host: panel.fruityskills.com
      Accept: */*
      Response
      HTTP/1.1 200 OK
      Date: Sat, 20 Jul 2024 17:03:23 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding,User-Agent
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D3IK7nn%2FoYTvMVbNsB5Cl8%2FbLx6iyvFWrVS%2B9laWeMBZT8T5RiElr5hCmWOBQ4HSrICgLoXwUPBn8nYnFxUrFBkDBSDRrbnbCL3t4oo%2BljhB%2BHuyo4Z3HQVT6khEFoLPFQpI6e0JS3Uy"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8a6486369b49768c-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      c.pki.goog
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      216.58.201.99
    • flag-us
      DNS
      249.82.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      249.82.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-gb
      GET
      http://c.pki.goog/r/gsr1.crl
      Remote address:
      216.58.201.99:80
      Request
      GET /r/gsr1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1739
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sat, 20 Jul 2024 17:01:02 GMT
      Expires: Sat, 20 Jul 2024 17:51:02 GMT
      Cache-Control: public, max-age=3000
      Age: 140
      Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-gb
      GET
      http://c.pki.goog/r/r4.crl
      Remote address:
      216.58.201.99:80
      Request
      GET /r/r4.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 436
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Sat, 20 Jul 2024 16:53:25 GMT
      Expires: Sat, 20 Jul 2024 17:43:25 GMT
      Cache-Control: public, max-age=3000
      Age: 597
      Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-us
      DNS
      99.201.58.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      99.201.58.216.in-addr.arpa
      IN PTR
      Response
      99.201.58.216.in-addr.arpa
      IN PTR
      lhr48s48-in-f31e100net
      99.201.58.216.in-addr.arpa
      IN PTR
      prg03s02-in-f3�G
      99.201.58.216.in-addr.arpa
      IN PTR
      prg03s02-in-f99�G
    • flag-us
      GET
      https://panel.fruityskills.com/api/login.php?id=5870657274&uuid=XQ==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=4332484837493232474B444A44444B44&a=XdXLOTL6X8FBZkH0&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365
      RVVNfAFuoPUg.exe
      Remote address:
      104.21.82.249:443
      Request
      GET /api/login.php?id=5870657274&uuid=XQ==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=4332484837493232474B444A44444B44&a=XdXLOTL6X8FBZkH0&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365 HTTP/1.1
      Host: panel.fruityskills.com
      Accept: */*
      Response
      HTTP/1.1 200 OK
      Date: Sat, 20 Jul 2024 17:03:41 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding,User-Agent
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EVrBWB6x1uIKWTbA6E6rA1ToxvGUKbKplwx4cY5eNt5yu2EMLWK3NcSoNcBX9%2Fe8lK5AeIEnZLLanacn0iZpdzlx%2BA5qo%2F5c9u%2Btqp804CMdE7N2rVPfvBPHaWZEsXJONjrgCoBJg%2FSW"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8a6486a94b216551-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      GET
      https://panel.fruityskills.com/api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=6853
      RVVNfAFuoPUg.exe
      Remote address:
      104.21.82.249:443
      Request
      GET /api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=6853 HTTP/1.1
      Host: panel.fruityskills.com
      Accept: */*
      Response
      HTTP/1.1 200 OK
      Date: Sat, 20 Jul 2024 17:03:42 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding,User-Agent
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fHYcUcbNUKsPQw2Y9ZUMxqvtqXFF4FYZm7b5%2BPMbf%2BXLFcQcV1BMHU6VdAixo5UjPrxqi671iC0Q%2Bm%2F089GdYLwPq2g6MzhBEEnwMw1IGBm6D%2BTQlx2ge2ibMxr%2B9AiUuV5ZHoD8kDt3"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8a6486ada9937762-LHR
      alt-svc: h3=":443"; ma=86400
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.28.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      110.8kB
       3.2MB
       2332
      2329

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301044_1R6E1MOEVCAUYY73I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301477_14PVM3YMRTCSD2NZ8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 104.21.82.249:443
      https://panel.fruityskills.com/api/login.php?id=5870657274&uuid=Og==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=44304436324735494A46444435444446533248333731444B4143475548374E4A&a=OjG3nP7644gT2EZL&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365
      tls, http
      RVVNfAFuoPUg.exe
      1.2kB
       4.2kB
       11
      11

      HTTP Request

      GET https://panel.fruityskills.com/api/login.php?id=5870657274&uuid=Og==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=44304436324735494A46444435444446533248333731444B4143475548374E4A&a=OjG3nP7644gT2EZL&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365

      HTTP Response

      200
    • 127.0.0.1:62149
      RVVNfAFuoPUg.exe
    • 127.0.0.1:62151
      RVVNfAFuoPUg.exe
    • 104.21.82.249:443
      https://panel.fruityskills.com/api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=
      tls, http
      RVVNfAFuoPUg.exe
      977 B
       4.4kB
       11
      11

      HTTP Request

      GET https://panel.fruityskills.com/api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=

      HTTP Response

      200
    • 216.58.201.99:80
      http://c.pki.goog/r/r4.crl
      http
      510 B
       3.8kB
       6
      5

      HTTP Request

      GET http://c.pki.goog/r/gsr1.crl

      HTTP Response

      200

      HTTP Request

      GET http://c.pki.goog/r/r4.crl

      HTTP Response

      200
    • 127.0.0.1:62154
      RVVNfAFuoPUg.exe
    • 127.0.0.1:62156
      RVVNfAFuoPUg.exe
    • 104.21.82.249:443
      https://panel.fruityskills.com/api/login.php?id=5870657274&uuid=XQ==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=4332484837493232474B444A44444B44&a=XdXLOTL6X8FBZkH0&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365
      tls, http
      RVVNfAFuoPUg.exe
      1.1kB
       4.2kB
       10
      11

      HTTP Request

      GET https://panel.fruityskills.com/api/login.php?id=5870657274&uuid=XQ==&hwid=532D312D352D32312D313430333234363937382D3731383535353438362D333130353234373133372D31303030313233&current=4332484837493232474B444A44444B44&a=XdXLOTL6X8FBZkH0&h=e5bb4ca071b4a7f32467d4260fef5610&ppn=45636C69707365

      HTTP Response

      200
    • 104.21.82.249:443
      https://panel.fruityskills.com/api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=6853
      tls, http
      RVVNfAFuoPUg.exe
      935 B
       4.5kB
       10
      11

      HTTP Request

      GET https://panel.fruityskills.com/api/apiaccess.php?api=Sy340uO1sQRh&action=responseData&program=Eclipse&responseID=6853

      HTTP Response

      200
    • 127.0.0.1:62183
      RVVNfAFuoPUg.exe
    • 127.0.0.1:62185
      RVVNfAFuoPUg.exe
    • 127.0.0.1:62188
      RVVNfAFuoPUg.exe
    • 127.0.0.1:62190
      RVVNfAFuoPUg.exe
    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      76.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      76.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      205.47.74.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      205.47.74.20.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       170 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      10.28.171.150.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      10.28.171.150.in-addr.arpa

    • 8.8.8.8:53
      panel.fruityskills.com
      dns
      RVVNfAFuoPUg.exe
      68 B
       100 B
       1
      1

      DNS Request

      panel.fruityskills.com

      DNS Response

      104.21.82.249
      172.67.166.56

    • 8.8.8.8:53
      c.pki.goog
      dns
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      216.58.201.99

    • 8.8.8.8:53
      249.82.21.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      249.82.21.104.in-addr.arpa

    • 8.8.8.8:53
      99.201.58.216.in-addr.arpa
      dns
      72 B
       169 B
       1
      1

      DNS Request

      99.201.58.216.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2004-44-0x0000000140000000-0x000000014296B000-memory.dmp

      Filesize

      41.4MB

      Download

    • memory/3652-11-0x00007FF898AF0000-0x00007FF898AF2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-7-0x00007FF898AB0000-0x00007FF898AB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-3-0x00007FF898A70000-0x00007FF898A72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-2-0x00007FF898A60000-0x00007FF898A62000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-1-0x00007FF898A50000-0x00007FF898A52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-6-0x00007FF898AA0000-0x00007FF898AA2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-0-0x0000000140DB1000-0x00000001414F2000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/3652-8-0x00007FF898AC0000-0x00007FF898AC2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-10-0x00007FF898AE0000-0x00007FF898AE2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-9-0x00007FF898AD0000-0x00007FF898AD2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-5-0x00007FF898A90000-0x00007FF898A92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-12-0x00007FF898B00000-0x00007FF898B02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-15-0x00007FF898B30000-0x00007FF898B32000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-14-0x00007FF898B20000-0x00007FF898B22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-17-0x00007FF898B50000-0x00007FF898B52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-16-0x00007FF898B40000-0x00007FF898B42000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-13-0x00007FF898B10000-0x00007FF898B12000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3652-22-0x0000000140000000-0x000000014296B000-memory.dmp

      Filesize

      41.4MB

      Download

    • memory/3652-23-0x0000000140DB1000-0x00000001414F2000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/3652-24-0x0000000140000000-0x000000014296B000-memory.dmp

      Filesize

      41.4MB

      Download

    • memory/3652-25-0x0000000140DB1000-0x00000001414F2000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/3652-26-0x0000000140000000-0x000000014296B000-memory.dmp

      Filesize

      41.4MB

      Download

    • memory/3652-4-0x00007FF898A80000-0x00007FF898A82000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4204-65-0x0000000140000000-0x000000014296B000-memory.dmp

      Filesize

      41.4MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.