Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

7cf9de0bb3...c1.apk

android-9-x86

10

7cf9de0bb3...c1.apk

android-10-x64

10

7cf9de0bb3...c1.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10/09/2024, 22:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7cf9de0bb33002957d7645ba2c7a4f780ec0937fc21f1471c6b665352a04eec1.apk

  • Size

    1.1MB

  • MD5

    6b64372da9eb946b68afe29f93988e4d

  • SHA1

    c6a22ecd0a29ae96ad795480ec75564c7362b562

  • SHA256

    7cf9de0bb33002957d7645ba2c7a4f780ec0937fc21f1471c6b665352a04eec1

  • SHA512

    aba562609a6171f8c2b4902989c4528b1df3ee269a1a153171fe5c0601850f19d01cbfd6f7da06f6dea6577f7515f643f161421967d690f7f040b73f4b94afe3

  • SSDEEP

    24576:QigmO91v2Ow1G02U9+9+lo/beUjFQXML+VghOjaRZjRqybK:QigmYw1GeWFQXML+VsRZsSK

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://91.92.242.166:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Extracted

Family

hook

C2

http://91.92.242.166:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nrv.yqmmemf.oh
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4317
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nrv.yqmmemf.oh/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nrv.yqmmemf.oh/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4343

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
  • flag-nl
    GET
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling
    Remote address:
    91.92.242.166:3434
    Request
    GET /socket.io/?EIO=3&transport=polling HTTP/1.1
    Accept: */*
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: application/octet-stream
    Date: Tue, 10 Sep 2024 22:01:08 GMT
    Content-Length: 83
  • flag-nl
    GET
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f
    Remote address:
    91.92.242.166:3434
    Request
    GET /socket.io/?EIO=3&transport=polling&sid=f HTTP/1.1
    Accept: */*
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: application/octet-stream
    Date: Tue, 10 Sep 2024 22:01:08 GMT
    Content-Length: 5
  • flag-nl
    POST
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f
    Remote address:
    91.92.242.166:3434
    Request
    POST /socket.io/?EIO=3&transport=polling&sid=f HTTP/1.1
    Accept: */*
    Content-Type: text/plain;charset=UTF-8
    Content-Length: 63
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Date: Tue, 10 Sep 2024 22:01:08 GMT
    Content-Length: 2
    Content-Type: text/plain; charset=utf-8
  • flag-nl
    GET
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=websocket&sid=f
    Remote address:
    91.92.242.166:3434
    Request
    GET /socket.io/?EIO=3&transport=websocket&sid=f HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: 7sNR8465HjWZ8q3UY5CywA==
    Sec-WebSocket-Version: 13
    Host: 91.92.242.166:3434
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 101 Switching Protocols
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Accept: OJxoYOdQAgKe3Ld467i+f5QUHlo=
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Origin: http://91.92.242.166
  • flag-nl
    GET
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f
    Remote address:
    91.92.242.166:3434
    Request
    GET /socket.io/?EIO=3&transport=polling&sid=f HTTP/1.1
    Accept: */*
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: application/octet-stream
    Date: Tue, 10 Sep 2024 22:01:08 GMT
    Content-Length: 4
  • flag-nl
    POST
    http://91.92.242.166:3434/php/xr66szipgroyfl80nvvy.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/xr66szipgroyfl80nvvy.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 973
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:11 GMT
    Content-Length: 24
  • flag-nl
    POST
    http://91.92.242.166:3434/php/adskpsg4xbfzz8qyx2f.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/adskpsg4xbfzz8qyx2f.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:12 GMT
    Content-Length: 236
  • flag-nl
    POST
    http://91.92.242.166:3434/php/nhkl7ti.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/nhkl7ti.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 738
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:13 GMT
    Content-Length: 24
  • flag-nl
    POST
    http://91.92.242.166:3434/php/gf28ie3flh96v6r3.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/gf28ie3flh96v6r3.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 933
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:15 GMT
    Content-Length: 108
  • flag-nl
    POST
    http://91.92.242.166:3434/php/lkfb792tfraa.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/lkfb792tfraa.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 154
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:15 GMT
    Transfer-Encoding: chunked
  • flag-nl
    POST
    http://91.92.242.166:3434/php/t.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/t.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 240
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:20 GMT
    Content-Length: 24
  • flag-nl
    POST
    http://91.92.242.166:3434/php/jis0yevgu0e3k73c8.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/jis0yevgu0e3k73c8.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:23 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/aekm8fybz8c46cf.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/aekm8fybz8c46cf.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 175
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:32 GMT
    Content-Length: 24
  • flag-nl
    POST
    http://91.92.242.166:3434/php/94knjdnx1qsbd.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/94knjdnx1qsbd.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:33 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/e66ohqsppd02.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/e66ohqsppd02.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:42 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/g2re4tm5aqfpzqdyq.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/g2re4tm5aqfpzqdyq.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:47 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/huz3y0k9a.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/huz3y0k9a.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:52 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/c4t76bj4lsd6.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/c4t76bj4lsd6.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:57 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/9rf32tvb6v2ridi.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/9rf32tvb6v2ridi.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:02 GMT
    Content-Length: 236
  • flag-nl
    POST
    http://91.92.242.166:3434/php/4xjnxymqzujcqu.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/4xjnxymqzujcqu.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:07 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/q.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/q.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:12 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/w.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/w.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:18 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/pmnyq73fn55lguqh9ns.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/pmnyq73fn55lguqh9ns.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:23 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/lktp40chbhph2cazqvq8.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/lktp40chbhph2cazqvq8.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:28 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/srwkiz2x8botptj.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/srwkiz2x8botptj.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:33 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/zwxs.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/zwxs.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:38 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/o8fpmbt55b2bfgjztk.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/o8fpmbt55b2bfgjztk.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:43 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/at80204rr8h.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/at80204rr8h.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:48 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/d2tx.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/d2tx.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:53 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/zfbxmo.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/zfbxmo.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:02:58 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/arfgqmnn28l3ja.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/arfgqmnn28l3ja.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:03:04 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/rydv93mpmt4kz.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/rydv93mpmt4kz.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:03:09 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/gj366gsb.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/gj366gsb.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:03:14 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/gcgeeto.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/gcgeeto.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:03:19 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/uwatcab.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/uwatcab.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 90
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:03:24 GMT
    Content-Length: 88
  • flag-nl
    POST
    http://91.92.242.166:3434/php/9yzsi.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/9yzsi.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 390
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 204 No Content
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Date: Tue, 10 Sep 2024 22:01:10 GMT
  • flag-nl
    POST
    http://91.92.242.166:3434/php/ma9ivnar.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/ma9ivnar.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 738
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Content-Type: text/plain; charset=utf-8
    Date: Tue, 10 Sep 2024 22:01:20 GMT
    Content-Length: 24
  • flag-nl
    POST
    http://91.92.242.166:3434/php/8lgjvzkrl.php/
    Remote address:
    91.92.242.166:3434
    Request
    POST /php/8lgjvzkrl.php/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
    Content-Length: 758
    Content-Type: application/x-www-form-urlencoded
    Host: 91.92.242.166:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 204 No Content
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://91.92.242.166
    Date: Tue, 10 Sep 2024 22:01:10 GMT
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.238
  • 142.250.180.10:443
    tls, https
    202 B
     40 B
     1
    1
  • 91.92.242.166:3434
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f
    http
    1.8kB
     2.2kB
     16
    14

    HTTP Request

    GET http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling

    HTTP Response

    200

    HTTP Request

    GET http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f

    HTTP Response

    200
  • 91.92.242.166:3434
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=websocket&sid=f
    http
    2.1kB
     1.5kB
     25
    18

    HTTP Request

    GET http://91.92.242.166:3434/socket.io/?EIO=3&transport=websocket&sid=f

    HTTP Response

    101
  • 91.92.242.166:3434
    http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f
    http
    918 B
     1.6kB
     14
    13

    HTTP Request

    GET http://91.92.242.166:3434/socket.io/?EIO=3&transport=polling&sid=f

    HTTP Response

    200
  • 91.92.242.166:3434
    http://91.92.242.166:3434/php/uwatcab.php/
    http
    20.7kB
     41.2kB
     76
    55

    HTTP Request

    POST http://91.92.242.166:3434/php/xr66szipgroyfl80nvvy.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/adskpsg4xbfzz8qyx2f.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/nhkl7ti.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/gf28ie3flh96v6r3.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/lkfb792tfraa.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/t.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/jis0yevgu0e3k73c8.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/aekm8fybz8c46cf.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/94knjdnx1qsbd.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/e66ohqsppd02.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/g2re4tm5aqfpzqdyq.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/huz3y0k9a.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/c4t76bj4lsd6.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/9rf32tvb6v2ridi.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/4xjnxymqzujcqu.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/q.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/w.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/pmnyq73fn55lguqh9ns.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/lktp40chbhph2cazqvq8.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/srwkiz2x8botptj.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/zwxs.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/o8fpmbt55b2bfgjztk.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/at80204rr8h.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/d2tx.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/zfbxmo.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/arfgqmnn28l3ja.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/rydv93mpmt4kz.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/gj366gsb.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/gcgeeto.php/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.242.166:3434/php/uwatcab.php/

    HTTP Response

    200
  • 91.92.242.166:3434
    http://91.92.242.166:3434/php/ma9ivnar.php/
    http
    3.6kB
     2.1kB
     15
    14

    HTTP Request

    POST http://91.92.242.166:3434/php/9yzsi.php/

    HTTP Response

    204

    HTTP Request

    POST http://91.92.242.166:3434/php/ma9ivnar.php/

    HTTP Response

    200
  • 91.92.242.166:3434
    http://91.92.242.166:3434/php/8lgjvzkrl.php/
    http
    1.7kB
     1.3kB
     11
    10

    HTTP Request

    POST http://91.92.242.166:3434/php/8lgjvzkrl.php/

    HTTP Response

    204
  • 142.250.187.206:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    5.9kB
     8.9kB
     23
    22
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     320 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.187.234
    172.217.16.234
    142.250.178.10
    142.250.180.10
    216.58.204.74
    142.250.187.202
    216.58.201.106
    216.58.213.10
    142.250.200.10
    172.217.169.10
    216.58.212.234
    172.217.169.74
    142.250.179.234
    172.217.169.42
    142.250.200.42

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.238

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/nrv.yqmmemf.oh/app_apkprotector_dex/classes-v1.bin
    Filesize

    1.5MB

    MD5

    79a4680b0f4d5270e41b56096949d1c8

    SHA1

    00eef360ba587f685e5f0745526031e1d648d4ce

    SHA256

    b90194b0357d4c06a7519897a6f2937e9f0c11b092391a628ed18c30fdf2629c

    SHA512

    41a3d8c7039a060e28431f840c39403cc2fe5ba91800f27c9313f75f686d4dcf341018d1ce26ce0a5f1e234833339ad8a84feb1c6a1e3da2f42419a9797a36b3

    Download Submit

  • /data/data/nrv.yqmmemf.oh/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/nrv.yqmmemf.oh/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    2134448c5b5329040925cc4cebe65052

    SHA1

    7602ff92f972b9bb0aaba54aca99562eda069fcd

    SHA256

    efb34d886c4b980820c656626b25bb6dfea8d8af25941a13aabf03adfdc936b7

    SHA512

    d34dacf5e3ab002784181d8a90ed87f7dcaf5ad32a51f588ab9c5bb2ab92dc54d00af1801967bdeb8ed91704d851ee5969b8ecfcd678c188c1a1075242a62d29

    Download Submit

  • /data/data/nrv.yqmmemf.oh/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/nrv.yqmmemf.oh/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    33ecd36c72e2aa7b5c083174a0225629

    SHA1

    71b2d3071ba911c46839712e2085b0f1d15eadb8

    SHA256

    58a01a84c8615867863e7135dff3bdf4da50ae06f51f28c40ef25c7aca44381e

    SHA512

    211bb6927acf7e87ef28fa6f327aaa04e251f4a1ab993058eb3325cad82cc981759f4d123cf0f8a553e010ad63fc10e033d7f69cb34903e94566999589ce73a9

    Download Submit

  • /data/data/nrv.yqmmemf.oh/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    a086fd41117a51652f30b2198c781589

    SHA1

    146479ddd80fd9375fd8ae412ef84eb32b4c7801

    SHA256

    732cd03dd7a5eede8a9f6ba3192f4e12a4714519a51387175f7ff1fb24ddc97f

    SHA512

    f0fa747e90aa58eec3da434267c48442ef92e5b2cadb9af7f21cb30fbbf3a13ce3a8f072a6cf8c285487e23b291a2ec3d115120e13f7ba6e951e3bf5fc39ac68

    Download Submit

  • /data/data/nrv.yqmmemf.oh/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    ba4481b57a77c667d44a5d8aae104e92

    SHA1

    6251ce5a5ed135863c6f5dc443f0307c72fb6b5e

    SHA256

    bbebbea4f468dd8b03c332a1e2d60f431dfac51d40521f51f01dc69da46c18d5

    SHA512

    a60b7f322fe6b77929c9ed6595f5eb95203227b4caecdda5b2506ba8696274f9328cb9282c251249736ababb1de4c52d65e7d704ee1b88a279c6e0e196898b91

    Download Submit

  • /data/user/0/nrv.yqmmemf.oh/app_apkprotector_dex/classes-v1.bin
    Filesize

    1.5MB

    MD5

    758fd177e85459423e1e58ff011d0f7f

    SHA1

    5e7a218f9124f8c2953ca6aa07ad89849654bb8a

    SHA256

    f2c52ede4aa12c2065909fa62d117a5d099455674013b7886b2b060693a91470

    SHA512

    d242a54f731dd28da1be7e3611db5c92d54f02aa87441dc875867de0ad2fce22595337973c04c58f05ca72a4fca1fed26f6597119089a064383f3441f682513e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.